Storm-1175 Deploys Medusa Ransomware Within 24 Hours of Access

Microsoft has published detailed analysis linking Storm-1175, a China-based threat actor, to a campaign of "high-velocity" ransomware attacks that compress the entire intrusion lifecycle—from initial access to ransomware deployment—into as little as 24 hours. The group weaponizes both zero-day and recently patched vulnerabilities to breach internet-facing systems before defenders can respond.

The findings, published on the Microsoft Security Blog, reveal Storm-1175 has exploited at least 16 vulnerabilities since 2023, with recent attacks leveraging CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere Managed File Transfer—both exploited as zero-days before public disclosure.

Operational Tempo

Traditional ransomware operators often dwell in victim networks for days or weeks, conducting reconnaissance, harvesting credentials, and positioning for maximum impact. Storm-1175 operates differently, prioritizing speed over stealth.

Upon gaining initial access through a vulnerable edge device, the group rapidly escalates privileges, identifies high-value data, exfiltrates what they can, and deploys Medusa ransomware—sometimes completing the entire sequence within 24 hours. This speed limits defenders' detection and response windows while reducing the group's exposure to threat hunters.

The operational tempo suggests Storm-1175 treats ransomware as a high-volume operation rather than carefully planned intrusions. They exploit exposed assets opportunistically, extract value quickly, and move to the next target.

Victim Profile

Recent intrusions have heavily impacted healthcare organizations, along with targets in education, professional services, and finance across Australia, the United Kingdom, and the United States. Healthcare's combination of critical operations, sensitive data, and often outdated security makes it particularly attractive to ransomware operators.

The geographic spread indicates Storm-1175 isn't limiting targeting to specific regions but rather exploiting vulnerable systems wherever they find them. Organizations with internet-facing infrastructure running affected software should consider themselves potential targets regardless of industry.

Zero-Day Exploitation

The group's willingness to deploy zero-day exploits distinguishes them from typical ransomware affiliates who rely on publicly available exploit code. Microsoft's analysis indicates Storm-1175 exploited CVE-2026-23760 approximately one week before SmarterMail's public advisory, and similarly exploited CVE-2025-10035 in GoAnywhere MFT before disclosure.

This capability suggests either independent vulnerability research or access to zero-day brokers. Either way, it means organizations cannot rely solely on patching disclosed vulnerabilities—Storm-1175 may already have exploited systems before patches become available.

The group's focus on edge devices and file transfer systems mirrors other recent campaigns targeting network perimeter. These systems often have less robust monitoring than internal infrastructure and provide immediate network access upon compromise.

Medusa Ransomware

Medusa operates as ransomware-as-a-service, with Storm-1175 functioning as an affiliate deploying the payload in exchange for a cut of ransom payments. The ransomware itself uses standard double-extortion tactics: encrypting systems while threatening to publish stolen data if victims don't pay.

Microsoft's attribution of Storm-1175 as "China-based" raises questions about the intersection of state-sponsored and financially motivated cyber activity. While the group's primary motivation appears financial, the speed and sophistication of their operations suggests resources beyond typical criminal enterprises.

Defensive Recommendations

Given Storm-1175's rapid exploitation timelines, defenders must prioritize:

1. Edge device hardening - Audit all internet-facing systems. Remove unnecessary exposure and ensure remaining systems are patched within hours of critical vulnerability disclosure.

2. Network segmentation - Prevent lateral movement from compromised edge systems to critical internal resources.

3. Behavioral detection - Signature-based detection fails against zero-days. Focus on identifying rapid privilege escalation, bulk data access, and other behavioral indicators.

4. Backup validation - Ensure backups are isolated from production networks and regularly tested for restoration.

For organizations running SmarterMail or GoAnywhere MFT, verify current patch levels and review logs for indicators of prior compromise. The gap between Storm-1175's exploitation and public disclosure means some organizations may have been breached before patches were available.

The group's track record across 16+ vulnerabilities since 2023 suggests continued activity. Organizations should assume Storm-1175 is actively scanning for their next opportunity and prepare accordingly.