Home > Blog > Storm-1175 Exploits Zero-Day Vulnerabilities in Rapid Ransomware Attacks
News

Storm-1175 Exploits Zero-Day Vulnerabilities in Rapid Ransomware Attacks

By whois-secure April 13, 2026 1 views

Introduction

In early April 2026, Microsoft identified a series of rapid and sophisticated ransomware attacks orchestrated by a Chinese-speaking threat group known as Storm-1175. This financially motivated collective has been exploiting both zero-day and n-day vulnerabilities to deploy Medusa ransomware, often achieving full system compromise within 24 hours of initial access.

Storm-1175: A Profile

Storm-1175 is a non-state-sponsored hacking group that has been active in targeting sectors such as healthcare, education, professional services, and finance across the United States, United Kingdom, and Australia. Their operations are characterized by an exceptional speed and proficiency in identifying and exploiting exposed perimeter assets.

Exploitation of Vulnerabilities

The group's modus operandi involves leveraging a combination of zero-day and n-day vulnerabilities. Notably, they have exploited over 16 vulnerabilities across 10 different products, including:

  • Microsoft Exchange (CVE-2023-21529)
  • PaperCut (CVE-2023-27351 and CVE-2023-27350)
  • Ivanti Connect Secure and Policy Secure (CVE-2023-46805 and CVE-2024-21887)
  • ConnectWise ScreenConnect (CVE-2024 ... )
  • JetBrains TeamCity (CVE ... )
  • SimpleHelp (CVE-202 ... )
  • CrushFTP (CVE-202 ... )
  • SmarterMail (CVE- ... )
  • BeyondTrust (CVE-202 ... )

These vulnerabilities are exploited in rapid succession, often before public disclosure, leaving minimal time for organizations to implement patches and mitigations.

Attack Methodology

Upon gaining initial access, Storm-1175 employs a variety of tools to establish persistence, move laterally within networks, and evade detection. Their tactics include:

  • Deploying obfuscated PowerShell scripts
  • Utilizing web shells for remote access
  • Disabling antivirus and endpoint protection systems
  • Executing the Medusa ransomware to encrypt data

The group's high operational tempo and advanced techniques underscore the evolving nature of cyber threats and the necessity for organizations to adopt proactive defense strategies.

Mitigation Strategies

To defend against such rapid and sophisticated attacks, organizations are advised to:

  • Regularly update and patch all systems and software
  • Implement robust network segmentation to limit lateral movement
  • Enhance monitoring and logging to detect anomalous activities
  • Conduct regular security awareness training for employees
  • Develop and test incident response plans to ensure swift action during an attack

By adopting these measures, organizations can bolster their defenses against the evolving tactics of threat actors like Storm-1175.

Conclusion

The emergence of Storm-1175 and their rapid exploitation of vulnerabilities to deploy ransomware highlights the critical importance of timely patching, vigilant monitoring, and comprehensive cybersecurity strategies. Organizations must remain proactive and adaptive to mitigate the risks posed by such advanced threat actors.

For more detailed information, refer to the original report by Microsoft: Microsoft flags China-based hackers using ...

Tags: ransomware Storm-1175 zero-day vulnerabilities cybersecurity Medusa ransomware
CyberEdge Learning
Level Up Your Cybersecurity Skills
Liked this article? Go deeper with hands-on training, certification prep, and real-world labs at CyberEdge Learning.
Start Free →