There is a moment between the time a software vendor announces a critical vulnerability and the time your IT team applies the patch that security professionals call the “exposure window.” For most organizations, that window lasts days or weeks. For the ransomware affiliate tracked as Storm-1175, that window is an operational runway – and they take off fast.
According to a detailed analysis released April 6, 2026, by Microsoft Threat Intelligence (source: Microsoft Security Blog), Storm-1175 has mastered the art of high-velocity ransomware campaigns that prey specifically on web-facing assets during that narrow gap between disclosure and patch adoption. In at least one documented case, the group weaponized a disclosed vulnerability in SAP NetWeaver (CVE-2025-31324) just 24 hours after it became public.
But here is what should keep security operations center (SOC) teams awake tonight: Storm-1175 has also demonstrated the ability to exploit zero-day vulnerabilities – including a SmarterMail flaw tracked as CVE-2026-23760 – a full week before vendors even told the world they existed.
Who Is Storm-1175?
Storm-1175 is not a household name like LockBit or BlackCat. But that is precisely why it matters.
The group operates as an affiliate within the Medusa ransomware-as-a-service (RaaS) ecosystem. That means they do not build their own ransomware from scratch. Instead, they pay for access to Medusa’s malware, leak site, and infrastructure, then focus on what they do exceptionally well: breaking in.
And breaking in is exactly what they have been doing since at least 2023.
Microsoft has observed Storm-1175 exploiting over 16 distinct vulnerabilities across a wide range of enterprise software, including:
- Microsoft Exchange (CVE-2023-21529)
- PaperCut (CVE-2023-27351, CVE-2023-27350)
- Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887)
- ConnectWise ScreenConnect (CVE-2024-1708, CVE-2024-1709)
- JetBrains TeamCity (CVE-2024-27198, CVE-2024-27199)
- SimpleHelp (multiple CVEs in 2024)
- CrushFTP (CVE‑2025‑31161)
- GoAnywhere MFT (CVE-2025-10035)
- SmarterMail (CVE-2025-52691, CVE-2025-52692, CVE-2025-52693, and the zero-day CVE-2026-23760)
- BeyondTrust (CVE-2026-1731)
This is not a group that discovers brand-new attack methods. They are second-day warriors – monitoring disclosure feeds, building exploits overnight, and scanning the internet for organizations that have not yet locked the door.
The Attack Chain: From Web Shell to Ransomware in Under 24 Hours
What makes Storm-1175 genuinely dangerous is not their toolset. It is their tempo.
According to Microsoft’s telemetry, Storm-1175 can move from initial exploitation to full ransomware deployment in as little as one day, though most attacks unfold over five to six days. In some cases, the entire kill chain – from first breach to encrypted files – completes within a single 24-hour window.
Here is how they do it.
Step 1: Exploiting Vulnerable Web-Facing Assets
Storm-1175 constantly scans for exposed perimeter systems running unpatched software. Their targets are predictable: web servers, VPN gateways, remote access tools, and email appliances — anything that faces the public internet and might have missed this month’s patch Tuesday.
Once they identify a vulnerable system, they deploy a web shell or remote access payload to establish their initial foothold. This is the digital equivalent of a burglar slipping a wedge under a fire door.
Step 2: Covert Persistence and Lateral Movement
From that initial beachhead, Storm-1175 moves fast.
They typically create a new user account and add it to the local administrators group a simple but effective persistence mechanism. From there, they begin reconnaissance using legitimate administrative tools.
Their toolkit includes:
- Living-off-the-land binaries (LOLBins) like PowerShell and PsExec
- Cloudflare tunnels (renamed to mimic legitimate processes like
conhost.exe) to move laterally over Remote Desktop Protocol (RDP) - Remote monitoring and management (RMM) tools including Atera, Level, N-able, AnyDesk, and SimpleHelp
If RDP is blocked, Storm-1175 simply uses their administrative privileges to modify the Windows Firewall policy and enable it. They write the results of their commands to text files methodical, quiet, and effective.
They also rely heavily on PDQ Deployer, a legitimate software deployment tool, to silently install applications and deliver ransomware payloads across the network. This is a particularly elegant technique because it uses trusted software to do untrusted work.
Step 3: Credential Theft
Before they can cause maximum damage, Storm-1175 needs keys to the kingdom.
They achieve this through multiple methods:
- Impacket (a collection of Python tools for network protocols) to dump credentials from the Local Security Authority Subsystem Service (LSASS)
- Mimikatz the legendary credential theft tool
- Modifying the registry to enable WDigest credential caching, which stores passwords in plaintext
- Using Task Manager to dump LSASS credentials directly
Once they have administrator credentials, they escalate further. In multiple intrusions, Storm-1175 has used PsExec to pivot to a Domain Controller, where they dump the NTDS.dit file,\ the Active Directory database containing every user password hash in the organization. From that point, they effectively own the entire network.
Step 4: Security Tampering
Storm-1175 knows that the last thing standing between them and a successful ransomware deployment is your antivirus software.
So they turn it off.
Using highly privileged accounts, they modify the Microsoft Defender Antivirus registry settings to disable protection. They also use encoded PowerShell commands to add the entire C:\ drive to the antivirus exclusion path, ensuring that their ransomware payloads run completely unchecked.
Step 5: Data Exfiltration and Ransomware Deployment
Like most modern ransomware operations, Storm-1175 practices double extortion. They do not just encrypt your data, they steal it first.
For exfiltration, they use Bandizip to compress files and Rclone to synchronize stolen data to attacker-controlled cloud storage. Rclone is particularly dangerous because it can continuously exfiltrate newly created or modified files in real-time, requiring no ongoing attacker interaction.
Finally, they deploy the Medusa ransomware payload, often using PDQ Deployer or a malicious Group Policy update to push it across the entire domain simultaneously.
Game over.
Why This Matters Right Now
The healthcare, education, professional services, and finance sectors in Australia, the United Kingdom, and the United States have already been heavily impacted by Storm-1175 campaigns, according to Microsoft’s telemetry.
But there is no reason to believe the group will not expand its geographic focus. Ransomware affiliates follow opportunity, not maps. Any organization with vulnerable, web-facing assets – regardless of industry or country – is a potential target.
And here is the uncomfortable truth that Microsoft’s report makes clear: Storm-1175 is not exceptionally sophisticated. They are not breaking new ground in exploit development. They are not using nation-state grade zero-days in every campaign.
They are simply fast and disciplined.
And for most organizations, speed is the one thing their security operations cannot match.
10 Recommended Actions to Defend Against Storm-1175 and Similar Threat Actors
Based on Microsoft’s guidance and independent analysis from Cybersecurity Magazine, here are ten concrete steps your organization should take immediately:
1. Know your digital footprint.
Use a perimeter scanning tool – such as Microsoft Defender External Attack Surface Management or open-source alternatives – to identify every web-facing asset in your environment. You cannot protect what you do not know exists.
2. Isolate web-facing systems.
Any server that must face the public internet should be placed behind a web application firewall (WAF), reverse proxy, or in a demilitarized zone (DMZ). Use VPNs for administrative access whenever possible.
3. Patch faster – or virtual patch.
Storm-1175 weaponizes vulnerabilities within 24 hours of disclosure. If you cannot patch that fast, implement virtual patching through intrusion prevention systems (IPS) or web application firewalls while you prepare maintenance windows.
4. Enable Credential Guard.
This Windows security feature protects credentials stored in the LSASS process. It is enabled by default on Windows 11, but if it was previously disabled, you must re-enable it manually – ideally before domain join.
5. Turn on tamper protection.
Enable tenant-wide tamper protection to prevent attackers from disabling Microsoft Defender Antivirus or adding exclusion paths. Combine this with the DisableLocalAdminMerge setting to block local administrators from overriding antivirus settings.
6. Deploy attack surface reduction (ASR) rules.
Specifically enable ASR rules that block:
- Credential stealing from LSASS
- Obfuscated script execution
- Web shell creation on servers
- Process creations from PsExec and WMI commands
7. Audit and secure approved RMM tools.
If your organization uses legitimate RMM tools (like AnyDesk, ConnectWise, or Atera), enforce multi-factor authentication (MFA) and monitor for unauthorized installations. If you discover an unapproved RMM tool, reset passwords for all accounts used to install it.
8. Implement automatic attack disruption.
Microsoft Defender XDR customers should configure automatic attack disruption to contain in-progress attacks immediately, limiting their spread while SOC teams investigate.
9. Monitor for credential theft indicators.
Prioritize alerts related to LSASS dumping, unusual account creations, and suspicious use of PsExec or PowerShell. These are often the earliest indicators of an active ransomware attack.
10. Practice offline, immutable backups.
No defense is perfect. Ensure you have recent, offline, and immutable backups of critical systems. Storm-1175 deploys ransomware after gaining Domain Controller access – so store backups outside your Active Directory environment.
Final Thoughts
Storm-1175 is a reminder that cybersecurity does not always require sophisticated nation-state adversaries to cause catastrophic damage. Sometimes, all it takes is a disciplined group of criminals who are simply faster than your patch management process.
The gap between vulnerability disclosure and patch adoption has always been dangerous. But when attackers can weaponize exploits in 24 hours and move from breach to ransomware in a single day, that gap becomes a liability.
Microsoft’s report, published April 6, 2026 (source: Microsoft Security Blog), offers a detailed roadmap for defense. But roadmaps only work if you start driving.
Patch your web-facing systems. Turn on tamper protection. Enable Credential Guard. And assume that somewhere, right now, Storm-1175 or someone like them is scanning your perimeter for an open door.
Because they are.
And they are fast.
For continuous cybersecurity training and awareness resources, visit Saintynet Cybersecurity. For more in-depth analysis of ransomware trends and threat actor profiles, explore related articles on Cybercory Magazine.
Have you experienced a rapid ransomware attack in your organization? Share your story with our editorial team — your insights could help others defend against the next Storm-1175.
