A notorious hacking group known as Storm-1175 is wreaking havoc on a global scale by deploying the destructive Medusa ransomware. Microsoft Threat Intelligence has identified this group as particularly adept at exploiting the narrow window between the discovery of a security vulnerability and the implementation of a patch.
Research from Microsoft indicates that Storm-1175 primarily targets vulnerable perimeter assets—those systems and devices that connect a company’s private network to the public internet and are yet to receive necessary security updates.
A Rapid Response
Storm-1175 is identified as specializing in N-day vulnerabilities, which are flaws that have already been publicly disclosed. While many cybercriminals linger within systems for extended periods, this group often completes its malicious activities within a matter of days. Alarmingly, they have been known to both exfiltrate sensitive data and effectively lock down entire networks within 24 hours. “Storm-1175 rotates exploits swiftly during the interval between vulnerability disclosure and patch release,” Microsoft researchers have noted.
An illustrative case occurred during a recent attack on an SAP NetWeaver system, associated with CVE-2025-31324. The vulnerability was publicly announced on April 24, 2025, and by the following day, Storm-1175 was utilizing it to initiate Medusa ransomware attacks. This expeditious approach has led to significant disruptions for various institutions, including schools, law firms, and healthcare facilities across the United States, the United Kingdom, and Australia.
Tools of the Trade
Further analysis reveals that Storm-1175 has targeted over 16 distinct vulnerabilities since 2023, utilizing software like Papercut (CVE-2023-27351) and JetBrains TeamCity (CVE-2024-27198). The group also displays surprising proficiency with zero-day exploits, as evidenced by their breach of SmarterMail (CVE-2026-23760) a week before the vulnerability was publicly identified in early 2026.
Upon gaining access, the group employs common office tools like AnyDesk and ConnectWise ScreenConnect to navigate their target networks undetected. Researchers have noted that they utilize a tool called PDQ Deployer for mass ransomware deployment across affected systems, while Rclone and Bandizip facilitate the packing and stealing of files.
Disabling Defenses
Storm-1175 excels at sabotaging security protocols. After initial penetration, the group often modifies system settings to instruct the antivirus software to ignore the C:\ drive by adding it to an exclusion list. This critical maneuver blinds the system, allowing the ransomware to operate undetected.
Experts emphasize that businesses must expedite the installation of security updates. Implementing features like Tamper Protection can also serve to prevent hackers from disabling antivirus measures.
Expert Analysis
The sophistication of the tactics employed by Storm-1175 distinguishes them from traditional cybercriminal activities. Adrian Culley, a Senior Sales Engineer at SafeBreach, commented on the notable escalation in the speed and coordination of Storm-1175’s operations. He highlighted the group’s propensity to exploit both newly disclosed and zero-day vulnerabilities, enabling them to transition from initial access to data exfiltration within hours rather than days.
Culley stressed the importance of distinguishing between Storm-1175 and similarly named groups like MedusaLocker, which primarily employ opportunistic access methods such as RDP brute-forcing. In contrast, he noted that Storm-1175 applies a methodical approach, linking exploits and leveraging remote management tools to facilitate rapid lateral movement across networks.
This ongoing trend underscores a significant disparity between the pace of attackers and the way organizations assess their defenses. Static scans and point-in-time assessments are no longer sufficient. Security teams must implement continuous, real-time validation of their defenses to identify and remediate vulnerabilities before they can be exploited.