Storm-1175 Deploys Medusa Ransomware at ‘High Velocity’

Steven

Storm-1175 Deploys Medusa Ransomware at ‘High Velocity’

Summary

Microsoft Threat Intelligence reports that financially motivated actors tracked as Storm-1175 are running “high velocity” campaigns that quickly weaponise N-day and zero-day vulnerabilities to deploy Medusa ransomware. The group moves from initial exploitation to data exfiltration and ransomware deployment within days — sometimes within 24 hours — hitting healthcare, education, professional services and finance organisations across Australia, the UK and the US. Techniques include tampering with Microsoft Defender settings, using RMM tools for lateral movement, Impacket for credential theft and Rclone for exfiltration. Microsoft urges immediate patching and a series of hardening steps to reduce risk.

Key Points

  1. Storm-1175 prioritises speed: exploitation → exfiltration → Medusa deployment often within 24–72 hours.
  2. The group has exploited a mix of N-days and zero-days, including CVE-2026-1731 (BeyondTrust), CVE-2025-10035 (GoAnywhere) and CVE-2026-23760 (SmarterMail).
  3. Typical attack chain: vulnerability exploitation, credential dumping (Impacket), lateral movement via RMM, data exfiltration with Rclone, then Medusa ransomware.
  4. Attackers have altered Microsoft Defender settings in the Windows registry to suppress scans — this requires high-level privileges and makes credential theft a critical early indicator.
  5. Recommended mitigations: prioritise patching immediately, enable Defender tamper protection and DisableLocalAdminMerge, deploy Credential Guard, isolate web-facing systems behind WAFs/DMZs and prioritise alerts for credential-theft activity.

Context and Relevance

This reporting highlights a broader trend: threat actors are exploiting the window between vulnerability disclosure and patch adoption at an accelerated pace. Organisations that cannot apply critical patches rapidly or detect credential theft risk quick ransomware compromise. The activity suggests Storm-1175 either has improved exploit development capabilities or access to exploit brokers, making timely vulnerability management and privileged-account monitoring more important than ever.

Author style

Punchy: this is urgent, not just interesting. If you run patching, incident response or endpoint defences, treat the guidance as operational priority and check Defender settings and credential-theft alerts now — the detail matters for containment and recovery.

Why should I read this?

Quick take: these attackers move at breakneck speed. Patch fast, lock down credentials and check your Defender settings. We skimmed the full report and pulled the actionable bits so you can act without wading through the whole blog.

Source

Source: https://www.darkreading.com/threat-intelligence/storm-1175-medusa-ransomware-high-velocity