Full Report
The financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence as Storm-1175 operates high-velocity ransomware campaigns that weaponize N-days, targeting vulnerable, web-facing systems during the window between vulnerability disclosure and widespread patch adoption. Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours. The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States. The pace of Storm-1175’s campaigns is enabled by the threat actor’s consistent use of recently disclosed vulnerabilities to obtain initial access. While the threat actor typically uses N-day vulnerabilities, we have also observed Storm-1175 leveraging zero-day exploits, in some cases a full week before public vulnerability disclosure. The threat actor has also been observed chaining together multiple exploits to enable post-compromise activity. After initial access, Storm-1175 establishes persistence by creating new user accounts, deploys various tools including remote monitoring and management software for lateral movement, conducts credential theft, and tampers with security solutions before deploying ransomware throughout the compromised environment.
Analysis Summary
# Threat Actor: Storm-1175
## Attribution & Identity
- **Name/Alias:** Storm-1175 (Microsoft tracking designation).
- **Associated Groups:** Operates as an affiliate or operator of **Medusa Ransomware** (Ransomware-as-a-Service).
- **Identity:** A financially motivated cybercriminal actor.
## Activity Summary
Storm-1175 is characterized by "high-velocity" ransomware campaigns. They specialize in identifying and exploiting web-facing assets within the critical window between vulnerability disclosure and patch adoption. The actor is noted for an extremely high operational tempo, moving from initial access to ransomware deployment in as little as 24 hours. Their activity has been consistently observed from 2023 through early 2026.
## Tactics, Techniques & Procedures
- **Initial Access:** Rapid weaponization of N-day and Zero-day vulnerabilities (sometimes a week before public disclosure). Known to chain multiple exploits.
- **Persistence:** Creation of new local/domain user accounts.
- **Lateral Movement:** Deployment of Remote Monitoring and Management (RMM) tools.
- **Credential Theft:** Standard post-compromise credential harvesting.
- **Defense Evasion:** Tampering with security solutions and anti-virus software.
- **Exfiltration:** Data theft prior to encryption (Double Extortion).
- **Impact:** Deployment of Medusa ransomware.
**MITRE ATT&CK Mapping (Inferred from text):**
- T1190: Exploit Public-Facing Application
- T1136: Create Account
- T1219: Remote Access Software
- T1562.001: Impair Defenses: Disable or Modify Tools
- T1048: Exfiltration Over Alternative Protocol
## Targeting
- **Sectors:** Healthcare, Education, Professional Services, and Finance.
- **Geography:** Australia, United Kingdom, and the United States.
- **Victims:** High-impact intrusions into organizations within the aforementioned sectors.
## Tools & Infrastructure
- **Malware:**
- **Medusa Ransomware** (e.g., *Gaze.exe*)
- **Rclone** (used for data exfiltration; e.g., *lsp.exe*)
- **RMM Tools:**
- **SimpleHelp** (e.g., *main.exe*, *moon.exe*)
- **Exploited Vulnerabilities:**
- CVE-2023-21529 (Microsoft Exchange)
- CVE-2023-27351 & CVE-2023-27350 (PaperCut)
- CVE-2023-46805 (Ivanti)
- OWASSRF (Exchange)
- WT-2026-0001 (SmarterTools SmarterMail)
- **Infrastructure (Defanged):**
- 185.135.86[.]149 (SimpleHelp C2)
- 134.195.91[.]224 (SimpleHelp C2)
- 85.155.186[.]121 (SimpleHelp C2)
## Implications
Storm-1175 represents a tier of ransomware affiliates with high technical proficiency and speed. Their ability to leverage zero-day exploits and chain vulnerabilities suggests a sophisticated intelligence-gathering or exploit-development capability. Their focus on the "patching gap" puts immense pressure on IT security teams to maintain immediate patch management cycles, as any delay of even 24 hours can result in full environment compromise.
## Mitigations
- **Patch Management:** Prioritize immediate patching of all web-facing assets (Exchange, RMMs, Mail servers) within hours of disclosure.
- **Attack Surface Reduction:** Audit perimeter assets and decommission unnecessary web-exposed services.
- **RMM Monitoring:** Monitor for unauthorized installations of RMM tools like SimpleHelp or AnyDesk.
- **Credential Protection:** Implement MFA and monitor for the creation of unauthorized administrative accounts.
- **Endpoint Security:** Enable tamper protection in EDR/AV solutions to prevent the actor from disabling security controls.