Microsoft is raising concerns about a cybercriminal group known as Storm 1175, which is rapidly launching ransomware attacks by exploiting newly discovered security flaws, often within days or even before official patches are released.
The group, believed to be based in China, is financially motivated and closely linked to the deployment of Medusa ransomware.
What makes Storm 1175 especially concerning is its speed and efficiency. According to Microsoft, the group can move from gaining initial access to stealing data and deploying ransomware in as little as 24 hours. Their operations focus heavily on identifying exposed systems on the internet and quickly exploiting vulnerabilities before organizations have time to react.
Recent attacks have had a significant impact on sectors like healthcare, education, finance, and professional services, particularly in countries such as the United States, the United Kingdom, and Australia. These industries are often targeted because of the critical nature of their operations and the high value of their data.
Storm 1175 does not rely on a single method. Instead, it chains together multiple vulnerabilities to strengthen its foothold inside compromised systems. Once inside, attackers create new user accounts, install remote access tools, steal credentials, and disable security protections before finally launching ransomware.
The group has demonstrated the ability to use both known vulnerabilities and previously undisclosed ones. In one case, it exploited a critical flaw in GoAnywhere MFT for more than a week before a patch became available. In another, it used a zero-day vulnerability in SmarterMail to bypass authentication and gain access.
Across its campaigns, Storm 1175 has targeted more than 16 vulnerabilities in widely used software, including Microsoft Exchange, PaperCut, Ivanti systems, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, and BeyondTrust. This broad targeting shows a flexible and opportunistic approach, allowing the group to adapt quickly as new weaknesses emerge.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Security agencies have already sounded the alarm. A joint advisory from CISA, the FBI, and MS ISAC reported that Medusa ransomware attacks have affected over 300 critical infrastructure organizations in the United States alone. Microsoft has also linked Storm 1175 to other major ransomware operations such as Black Basta and Akira, further highlighting the scale and seriousness of the threat.
