Home > Blog > Storm-1175 Exploits Zero-Day Vulnerabilities in Rapid Ransomware Attacks
News

Storm-1175 Exploits Zero-Day Vulnerabilities in Rapid Ransomware Attacks

By whois-secure April 11, 2026 1 views

Introduction

In early April 2026, Microsoft identified a series of rapid and sophisticated ransomware attacks orchestrated by a financially motivated threat actor known as Storm-1175. This group has been exploiting both zero-day and n-day vulnerabilities to infiltrate systems and deploy Medusa ransomware within remarkably short timeframes.

Profile of Storm-1175

Storm-1175 is a Chinese-speaking cybercriminal collective that operates independently of state sponsorship. Their primary targets include organizations in the healthcare, education, professional services, and finance sectors across the United States, United Kingdom, and Australia. The group's hallmark is its operational speed, often progressing from initial system access to data exfiltration and ransomware deployment within 24 hours.

Exploitation of Vulnerabilities

Microsoft's investigation revealed that Storm-1175 has exploited over 16 vulnerabilities across 10 different products. Notable among these are:

  • Microsoft Exchange: CVE-2023-21529
  • PaperCut: CVE-2023-27350 and CVE-2023-27351
  • Ivanti Connect Secure and Policy Secure: CVE-2023-46805 and CVE-2024-21887
  • ConnectWise ScreenConnect: CVE-2024-1708 and CVE-2024-1709
  • JetBrains TeamCity: CVE-2024-27198 and CVE-2024-27199
  • SimpleHelp: CVE-2024-57726, CVE-2024-577 ...
  • CrushFTP: CVE-2025-31161
  • SmarterMail: CVE-2025-52691
  • BeyondTrust: CVE-2026-1731

These vulnerabilities are exploited in rapid succession, often before public disclosure, leaving minimal time for organizations to implement patches and defenses.

Attack Methodology

Upon gaining initial access, Storm-1175 employs a variety of tools to establish persistence, move laterally within networks, and evade detection. Their tactics include:

  • Disabling antivirus and endpoint protection systems prior to deploying ransomware.
  • Utilizing legitimate administrative tools to maintain a low profile within the network.
  • Implementing custom scripts to automate data exfiltration and encryption processes.

The group's proficiency in chaining multiple vulnerabilities and their high operational tempo underscore the evolving nature of cyber threats.

Implications for Organizations

The activities of Storm-1175 highlight the critical importance of proactive cybersecurity measures. Organizations are advised to:

  • Regularly update and patch systems to mitigate known vulnerabilities.
  • Implement robust monitoring to detect unusual network activity promptly.
  • Conduct comprehensive security training for staff to recognize and respond to potential threats.

Given the speed and sophistication of these attacks, a proactive and layered defense strategy is essential to safeguard sensitive data and maintain operational integrity.

Conclusion

Storm-1175's rapid exploitation of zero-day vulnerabilities and swift deployment of ransomware represent a significant threat to organizations worldwide. Staying informed about emerging threats and maintaining vigilant cybersecurity practices are paramount in defending against such advanced adversaries.

For more detailed information, refer to the original report by Microsoft: Microsoft flags China-based hackers using ...

Tags: ransomware cyberattack Storm-1175 zero-day vulnerabilities Medusa ransomware
CyberEdge Learning
Level Up Your Cybersecurity Skills
Liked this article? Go deeper with hands-on training, certification prep, and real-world labs at CyberEdge Learning.
Start Free →