{"id":7718,"date":"2026-04-07T10:48:40","date_gmt":"2026-04-07T10:48:40","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7718"},"modified":"2026-04-07T10:48:40","modified_gmt":"2026-04-07T10:48:40","slug":"microsoft-says-medusa-linked-storm-1175-is-speeding-ransomware-attacks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7718","title":{"rendered":"Microsoft says Medusa-linked Storm-1175 is speeding ransomware attacks"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Microsoft has warned that Storm-1175, a cybercrime group linked to Medusa ransomware, is exploiting vulnerable web-facing systems in fast-moving attacks, at times moving from initial access to data theft and ransomware deployment within 24 hours.<\/p>\n<p>The company said the group has heavily targeted organizations in healthcare, education, professional services, and finance across Australia, the UK, and the US, showing how quickly ransomware affiliates can exploit exposed perimeter systems before defenders patch or even spot the breach.<\/p>\n<p>Microsoft also said Storm-1175 has, in some cases, used <a href=\"https:\/\/www.csoonline.com\/article\/4141519\/zero-day-exploits-hit-enterprises-faster-and-harder.html\">zero-day flaws<\/a> before they were publicly disclosed.<\/p>\n<p>\u201cWhile the threat actor typically uses N-day vulnerabilities, we have also observed Storm-1175 leveraging zero-day exploits, in some cases a full week before public vulnerability disclosure,\u201d Microsoft said in a blog post. \u201cThe threat actor has also been observed chaining together multiple exploits to enable post-compromise activity.\u201d<\/p>\n<p>Microsoft said the group has exploited more than 16 vulnerabilities across widely used enterprise products since 2023 and, in several cases, chained exploits to establish persistence, steal credentials, tamper with security tools, and speed ransomware deployment.<\/p>\n<p>\u201cWhat we\u2019re seeing here is the death of the traditional \u2018dwell time\u2019 narrative,\u201d said <a href=\"https:\/\/my.idc.com\/getdoc.jsp?containerId=PRF005665\" target=\"_blank\" rel=\"noopener\">Sakshi Grover<\/a>, senior research manager for security services at IDC Asia Pacific. \u201cThis is no longer about attackers sitting quietly in the network. It is about speed and disciplined execution. Storm-1175 is operating like a well-oiled pipeline. Initial access, escalation, lateral movement, exfiltration, and ransomware deployment, all compressed into a day. Most enterprises are simply not built for that pace.\u201d<\/p>\n<p>Grover said the bigger weakness for many organizations is not detection but response. She said many companies still take too long to isolate affected systems and revoke access, which gives attackers more time to move through networks before teams can contain them.<\/p>\n<p>Cybersecurity analyst <a href=\"https:\/\/www.linkedin.com\/in\/sunilvarkey1\/\" target=\"_blank\" rel=\"noopener\">Sunil Varkey<\/a> said the shift to faster <a href=\"https:\/\/www.csoonline.com\/article\/3838121\/the-dirty-dozen-12-worst-ransomware-groups-active-today.html\">ransomware operations<\/a> means traditional detection-and-response models that assume multi-day or week-long dwell times are no longer sufficient, especially when companies remain slow to patch internet-exposed assets and contain lateral movement after initial access.<\/p>\n<p>\u201cThe most effective response is a proactive strategy centered on aggressive attack surface reduction, prioritizing rapid remediation of vulnerabilities and misconfigurations on all web-facing and critical systems, combined with strong network segmentation and isolation,\u201d Varkey said.<\/p>\n<h2 class=\"wp-block-heading\">Where enterprises lag<\/h2>\n<p>Many enterprises still lack a real-time view of what is exposed to the internet, said <a href=\"https:\/\/greyhoundresearch.com\/svg\/\" target=\"_blank\" rel=\"noopener\">Sanchit Vir Gogia<\/a>, chief analyst at Greyhound Research. He called this a basic weakness in how companies manage cyber risk.<\/p>\n<p>\u201cThe way attack surface management is run today still reflects an older mindset,\u201d Gogia said. \u201cDiscover assets, scan them, prioritize issues, schedule fixes. It is orderly and logical, but not fast enough. Environments are changing all the time. Systems are spun up for projects, opened to the internet for convenience, and then left behind. Over time, these become invisible to central teams, even though they remain visible to attackers.\u201d<\/p>\n<p>Gogia said the problem is compounded by fragmented ownership. Internet-facing systems often cut across different teams, blurring accountability and slowing the response when risks emerge.<\/p>\n<p>Storm-1175 appears to be exploiting exactly that gap. Its rapid shifts between vulnerabilities and use of chained exploits suggest attackers are taking advantage of enterprises that lack an up-to-date view of their external exposure.<\/p>\n<p><a href=\"https:\/\/confidis.co\/about\/our-leadership-team\/\" target=\"_blank\" rel=\"noopener\">Keith Prabhu<\/a>, founder and CEO of Confidis, said the widespread use of open-source libraries and other components that need constant tracking and patching makes the job even harder.<\/p>\n<p>\u201cA smart attacker like Storm-1175 can quickly fingerprint such systems and develop custom attacks chaining multiple exploits,\u201d Prabhu said. \u201cEfficient patch management of this complex technology stack is the biggest weakness in enterprise attack surface management today, especially for internet-exposed systems.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Microsoft has warned that Storm-1175, a cybercrime group linked to Medusa ransomware, is exploiting vulnerable web-facing systems in fast-moving attacks, at times moving from initial access to data theft and ransomware deployment within 24 hours. The company said the group has heavily targeted organizations in healthcare, education, professional services, and finance across Australia, the UK, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7719,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7718","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7718"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7718"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7718\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7719"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7718"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}