Storm-1175 - Exploits 0-Day Flaws in Medusa Ransomware Attacks
Significant risk — action recommended within 24-48 hours
Basically, a hacker group is using security flaws to spread ransomware quickly.
Storm-1175 is rapidly exploiting unpatched vulnerabilities to deploy Medusa ransomware. Organizations with internet-facing systems are at high risk. Immediate action is needed to patch vulnerabilities and secure networks.
What Happened
A new ransomware campaign led by the financially motivated group Storm-1175 has emerged, putting organizations on high alert. This group is rapidly targeting vulnerable, internet-facing systems and deploying the Medusa ransomware as the final blow. Their speed is alarming; they can lock down an entire organization within 24 hours of breaching its defenses.
Who's Affected
Organizations with internet-facing platforms are particularly at risk. Storm-1175 exploits vulnerabilities that remain unpatched, known as N-day vulnerabilities. These are flaws that have been publicly disclosed but not yet fixed by IT teams. The group has been active since 2023 and has exploited over 16 known vulnerabilities across various enterprise platforms.
How It Works
Storm-1175's attack strategy is built around exploiting the short window between when a vulnerability is disclosed and when a patch is applied. They scan for vulnerable applications, such as file transfer tools and mail servers, that are still running outdated versions. For instance, they exploited CVE-2026-23760, a SmarterMail flaw, a week before it was publicly disclosed. This rapid exploitation makes them especially dangerous.
Attack Chain
Once inside a target environment, Storm-1175 follows a precise sequence of steps:
- They deploy a web shell or a remote access payload to maintain access.
- New user accounts are created to ensure continued access to the network.
- Legitimate remote monitoring tools are used to blend malicious activity with regular traffic.
- They tamper with Microsoft Defender Antivirus settings to disable defenses.
- Attackers steal credentials to gain access to high-privilege accounts, enabling them to spread the ransomware.
Medusa Ransomware
Medusa operates as a Ransomware-as-a-Service platform, using a double extortion model. This means that while they encrypt data, they also steal it, threatening to release it publicly if the ransom is not paid. This dual threat puts immense pressure on organizations, combining operational disruption with the risk of data exposure.
What You Should Do
Organizations are advised to patch any internet-facing systems immediately, particularly within 72 hours for vulnerabilities listed in the CISA Known Exploited Vulnerabilities catalog. Security teams should monitor for:
- Alerts tied to credential theft.
- Unauthorized registry changes.
- New user account creations.
Additionally, restricting remote monitoring tools to approved applications and enforcing multi-factor authentication on all privileged accounts are crucial steps. Regular audits of antivirus exclusion paths can help detect unauthorized modifications before attackers exploit them.
🔍 How to Check If You're Affected
- 1.Check for alerts related to credential theft.
- 2.Monitor for unauthorized registry changes.
- 3.Review new user account creations in your environment.
🔒 Pro insight: The speed of Storm-1175's attacks highlights the critical need for timely patch management and proactive security measures against emerging threats.