Microsoft flags faster Medusa break-ins

Microsoft has warned that a threat actor it tracks as Storm-1175 is exploiting vulnerabilities in internet-facing systems at high speed to deliver Medusa ransomware, in some cases moving from initial access to data theft and encryption within 24 hours. The alert points to a pattern that security teams have feared for months: a shrinking window between vulnerability disclosure, exploitation and full-scale ransomware deployment.

The group, described by Microsoft as financially motivated, is said to focus on web-facing assets that remain exposed after patches are issued or before they are widely applied. Microsoft’s threat intelligence team said Storm-1175 has weaponised more than 16 vulnerabilities since 2023 across products including Microsoft Exchange, PaperCut, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust. The company said the actor’s pace has proven particularly damaging for healthcare, education, professional services and finance organisations in Australia, the United Kingdom and the United States.

At the centre of the warning is Medusa, a ransomware-as-a-service operation that has remained active for years and continues to evolve. A joint advisory issued by the FBI, the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center said Medusa was first identified in June 2021 and had affected more than 300 victims across critical infrastructure sectors by February 2025. Those sectors included medical, education, legal, insurance, technology and manufacturing, underscoring the breadth of the threat and the reasons officials continue to press for faster patching, network segmentation and stronger monitoring of exposed systems.

Microsoft’s latest assessment suggests Storm-1175 is not simply scanning for old weaknesses left unattended. It is also moving quickly on newly disclosed flaws and, in some cases, exploiting vulnerabilities before public disclosure. Microsoft said the actor used CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere MFT about a week before those issues were publicly disclosed. It also said the group exploited SAP NetWeaver flaw CVE-2025-31324 within a day of disclosure in April 2025. That matters because it narrows the margin for defenders from weeks to days, and sometimes hours, particularly in organisations with sprawling external attack surfaces and complex patching cycles.

The company said Storm-1175 often follows a familiar but highly disciplined playbook once inside a network. The actor has been observed creating new user accounts, adding them to administrator groups, deploying web shells or remote access payloads, stealing credentials and using legitimate administrative tools to move laterally. Microsoft highlighted the use of PowerShell, PsExec, Cloudflare tunnels, remote monitoring and management software, PDQ Deployer and Impacket, alongside attempts to tamper with Microsoft Defender settings and add antivirus exclusions. Data is commonly staged with compression tools and exfiltrated with utilities such as Rclone before ransomware is pushed out across the environment.

That operational tempo is what most clearly distinguishes the current warning. Microsoft said some incidents unfold over five to six days, but several moved from compromise to ransomware deployment in a single day. Independent reporting on the company’s findings said incident responders are seeing a broader trend in which ransomware actors are weaponising vulnerabilities almost immediately after they emerge, while also relying heavily on legitimate remote management tools that can blend into normal administrative activity.

The development also reflects a wider shift in the ransomware market. Attackers no longer need bespoke malware alone to produce major disruption; speed, vulnerability research and access to legitimate tools now provide a competitive edge. Microsoft said Storm-1175 still primarily relies on so-called N-day vulnerabilities, meaning flaws that are publicly known but not yet patched across enough targets. Even so, its apparent use of zero-days suggests either improved in-house capability or access to exploit brokers, a combination that raises the stakes for sectors where internet-exposed applications are essential to daily operations.