Zero-day + 24-hour speed: Storm-1175 is changing the ransomware game
Summary of the campaign
A financially motivated hacking group linked to China—Storm-1175—is raising alarms at the highest level by incorporating Zero-day vulnerability exploitation (rare among ransomware gangs) into the Medusa Ransomware ecosystem. Instead of using phishing or purchasing login credentials, Storm-1175 directly targets web-facing application buffers and exploits multiple critical vulnerabilities a week before the CVE code is publicly disclosed. This campaign has notably escalated, targeting the healthcare sector and critical infrastructure in the US, UK, and Australia. With a lightning-fast infection rate (dwell time of just 5-6 days, with some encryption incidents occurring in under 24 hours), Storm-1175's exploit development capabilities blur the line between ordinary cybercrime and government-backed APT organizations.
Urgent action: Organizations exposing MFT services, email servers, or RMM systems to the internet need to completely reassess their defense models, as the current "window of exposure" (the safe period before a patch is released) is now approximately zero.
Hacker Group Profile
According to intelligence reports from Microsoft Threat Intelligence (published in April 2026), Storm-1175 is a financially motivated cybercriminal group originating from China. This group does not directly develop ransomware but acts as a highly active affiliate for the Medusa Ransomware-as-a-Service (RaaS) platform since at least 2023.
Formation History and Operational Characteristics
The name "Storm" is Microsoft's convention for naming emerging threat groups that are not yet clearly identified (unattributed/emerging). Although there are IP traces and infrastructure from China, Storm-1175's actions are entirely focused on financial gain through double extortion, without the espionage or political sabotage typically associated with state military forces like the PLA or MSS.
However, what makes Storm-1175 a terrifying nightmare is their arsenal. A typical RaaS affiliate usually exploits N-day vulnerabilities (existing vulnerabilities already known online) or purchases credentials from the dark web. In contrast, Storm-1175 has the capability to operate with zero-day exploits (sophisticated tools typically held by government-backed hackers). This intersection raises the possibility that Storm-1175 might be covertly acquiring capabilities from black market exploit exchanges or receiving unofficial information sharing from China's domestic vulnerability research ecosystem.
Notable attacks
SimonMed Imaging Disaster (January 2025): Initially targeted one of the largest medical imaging service providers in the U.S. Storm-1175 seized 2 terabytes of sensitive data, exposing the medical records of 1.27 million patients and demanded $1 million. HCRG Care Group Infrastructure Collapse (February 2025): Attacked one of the largest private healthcare providers in the UK, successfully stealing 2.3 terabytes of data and demanding $2 million.
Zero-day Stage Fortra GoAnywhere (September 2025): Weaponized and exploited the Deserialization CVE-2025-10035 vulnerability (CVSS score of 10.0), breaching multiple enterprise MFT systems. Alarmingly, they used this vulnerability a full week before the company released a patch (pre-disclosure). Mississippi State Health Blockage (February 2026): Spread Medusa, completely paralyzing the University of Mississippi Medical Center (UMMC - the main facility with 10,000 employees). The attack caused a 9-day "computer blackout," forcing the center to cancel chemotherapy sessions for cancer patients and revert to handwritten records before demanding a ransom of $800,000 USD.
Notable Event Timeline
Storm-1175's zero-day exploitation timeline is a testament to its alarming speed:
Zero-day Attack Fortra GoAnywhere (September 2025):
September 10-11: Storm-1175 launched a widespread attack through the CVE-2025-10035 vulnerability (CVSS 10.0 - Deserialization).
September 18: Fortra officially released a patch and confirmed the vulnerability. (The attack preceded the disclosure by one week).
Zero-day Attack on SmarterMail (2026):
- Exploited the Authentication Bypass CVE-2026-23760 vulnerability with a 7-10 day response delay from the provider after the malware had already infiltrated the organization.
Dwell Time Progression: The time from initial access to file encryption using Medusa was typically under 6 days.
Attack sequence
Phase 1: Initial Access (Breach using Zero-day/N-day Web-facing)
The database recorded that Storm-1175 successfully exploited 16 vulnerabilities across more than 10 different platforms. The targeted services included Microsoft Exchange Server, PaperCut NG/MF, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, and SmarterMail.
| Target Platforms | Exploited CVE error codes | Characteristics/Attack Type | Patch Document (Patch Link) |
|---|---|---|---|
| Fortra GoAnywhere MFT | CVE-2025-10035 |
Zero-day (Deserialization, CVSS 10.0) | Fortra Security Advisories |
| SmarterTools SmarterMail | CVE-2026-23760 |
Zero-day (Authentication Bypass) | SmarterMail Release Notes |
| ConnectWise ScreenConnect | CVE-2024-1709 |
Authentication Bypass | ConnectWise Security Bulletins |
| Ivanti Connect Secure | CVE-2023-46805, CVE-2024-21887 |
Auth Bypass & Command Injection | Ivanti Security Advisories |
| JetBrains TeamCity | CVE-2024-27198, CVE-2024-27199 |
Authentication Bypass | TeamCity Security Blog |
| SimpleHelp | CVE-2024-57726, CVE-2024-57727, CVE-2024-57728 |
Remote Code Execution (RCE) | SimpleHelp Releases Center |
| CrushFTP | CVE-2024-4040 |
VFS Sandbox Escape / Read sensitive files | CrushFTP Update Wiki |
| PaperCut NG/MF | CVE-2023-27350 |
Unauthenticated RCE | PaperCut Security Bulletin |
| Microsoft Exchange Server | The error codesProxyShell / ProxyNotShell |
Exploiting SSRF/RCE without applying the previous patch | MSRC Update Guide |
Storm-1175's comprehensive exploitation of tactical exploits from file transfer servers (MFT) to email servers and remote management platforms demonstrates that the R&D team behind this group scans the entire network surface of an enterprise rather than focusing on a single fixed vulnerability.
Phase 2: Execution & Persistence
After breaking in, Storm-1175 doesn't use unfamiliar malware but establishes persistence by implanting a web shell directly into the exploited application. Notably, they create numerous unauthorized users and deploy legitimate commercial RMM (Remote Monitoring & Management) systems to maintain their presence: Atera, Level, N-able, DWAgent, MeshAgent, AnyDesk... This helps their C2 traffic blend into the daily network management traffic. The attackers also frequently set up Cloudflare tunnels to disguise reverse shell connections.
Phase 3: Credential Access & Defense Evasion
To completely extract credentials, the group uses a combination of Mimikatz, directly dumping LSASS RAM via Task Manager, altering the WDigest Registry configuration to force Windows to store plaintext passwords, and running scripts to steal Veeam Backup passwords. The adversaries evade EDR by manipulating the Windows Firewall to open RDP ports and further filtering the Exclusion lists of Microsoft Defender Antivirus (preventing the software from scanning directories containing ransomware tools).
Phase 4: Exfiltration & Impact
Compress data using Bandizip (Archive file) and upload it to the attacker's cloud storage infrastructure with Rclone. Once the data is transferred, Storm-1175 uses PDQ Deployer to deploy encryption across the entire network. The ransomware gaze.exe activates, employing the AES-256 algorithm to convert the entire file system into the .medusa format along with a ransom demand.
Impact Analysis: Healthcare Industry Crisis
The grip of Medusa is causing extensive damage to the healthcare sector—where outdated machinery and invaluable time are critical:
The network collapse at SimonMed Imaging (2TB of data affecting 1.27 million patients, with a ransom demand of $1 million USD).
Independent healthcare provider HCRG Care Group in the UK (2.3TB seized, with a ransom demand of $2 million USD).
University of Mississippi Medical Center (Nine days of complete paralysis, cancer clinics halted, with a demand of $800,000).
Triple Extortion Warning: Medusa pushes victims to the most ruthless level. There are cases where victims have paid for decryption, only to have a "third party" claiming to be an insider from Medusa contact them, stating that the old key is fake and coercing them to pay more for the "True Decryptor."
IOCs
File Hash
0cefeb6210b7103fd32b996beff518c9b6e1691a97bb1cda7f5fb57905c4be96
9632d7e4a87ec12fdd05ed3532f7564526016b78972b2cd49a610354d672523c
e57ba1a4e323094ca9d747bfb3304bd12f3ea3be5e2ee785a3e656c3ab1e8086
5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19
IP C2
185.135.86[.]149
134.195.91[.]224
85.155.186[.]121
MITRE ATT&CK Mapping
TA0001 - Initial Access: T1190 (Exploit Public-Facing Application) via critical 0-day/N-day vulnerabilities. TA0003 - Persistence: T1505.003 (Web Shell). T1136 (Create Account). TA0005 - Defense Evasion: T1562.001 (Disable or Modify Tools) - exclude lock folder from Windows Defender, T1562.004 (Disable or Modify System Firewall). TA0006 - Credential Access: T1003.001 (LSASS Memory), T1003.004 (LSA Secrets) - crack Veeam password. TA0011 - Command and Control: T1219 (Remote Access Software) - misuse Atera/AnyDesk, T1090.006 (Web Service) - Cloudflare tunnels. TA0010 - Exfiltration: T1567.002 (Exfiltration to Cloud Storage) - using Rclone. TA0040 - Impact: T1486 (Data Encrypted for Impact).
Expert opinion
The convergence of nation-state level zero-day software cracking skills with the ruthless money-making mindset of RaaS criminal gangs has created the biggest nightmare in the past decade. Storm-1175 has demonstrated a harsh reality: the "Window of Vulnerability" (the time frame allowing you to wait until the next system patch) has been reduced to zero. When adversaries are keen on targeting a company's web-facing apps, they pull the trigger a week before the software company can send an apology email and release a CVE. Moreover, if your company hasn't removed or managed the configuration of Remote Admin (RMM) solutions purposefully, you're indirectly nurturing a perfect backdoor within your own secure network infrastructure.
Recommendation
Immediate (0-24 hours)
Apply emergency priority patches to all internet-facing applications, focusing on: Fortra GoAnywhere MFT, SmarterMail, ConnectWise ScreenConnect, Ivanti Connect Secure, JetBrains TeamCity.
If security patches are unavailable: Isolate, block public access, or protect them with Web Application Firewalls (WAF) using the strictest rule signatures to intercept deserialization payloads.
Short-term (1-7 days)
Reconfigure the internal Threat Hunting mechanism to detect anomalies in RMM tasks. If the accounting department's server suddenly installs AnyDesk or Cloudflare Tunnel software running background services, that's a Level 1 Incident.
Monitor the event ID for reading/writing memory of LSASS.exe at the highest level. Write alert logic for actions that remove the File Exclusion layer of Defender Antivirus via PowerShell/CMD.
Long-term
Adopt a "Zero Trust for Perimeter" architecture strategy. Understand that public-facing servers, even with the latest updates, can be vulnerable to zero-day exploits at any time. Apply micro-segmentation techniques to isolate infected web servers and prevent lateral movement into core servers.
Design backup servers and Veeam systems to be completely separate from Domain Controller credentials to avoid a total shutdown. Implement an Offline Backup Test method specifically for crisis situations.
Refer to
https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html
