TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security Grafana Patches AI Bug That Could Have Leaked User Data Grafana Patches AI Bug That Could Have Leaked User Data by Alexander Culafi Apr 7, 2026 3 Min Read Application Security AI-Assisted Supply Chain Attack Targets GitHub AI-Assisted Supply Chain Attack Targets GitHub by Jai Vijayan Apr 6, 2026 3 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Cyberattacks & Data Breaches Vulnerabilities & Threats Endpoint Security News Storm-1175 Deploys Medusa Ransomware at 'High Velocity' Microsoft says the financially motivated cybercrime group has exploited N-day and zero-day vulnerabilities in campaigns predicated on speed. Rob Wright , Senior News Director , Dark Reading April 7, 2026 4 Min Read Source: Carlo Bollo via Alamy Stock Photo Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware, putting pressure on organizations to patch critical vulnerabilities faster. In a blog post on Monday, Microsoft Threat Intelligence detailed how Storm-1175 , a financially motivated cybercrime group, is conducting "high velocity ransomware campaigns" that typically exploit known vulnerabilities in the sweet spot for threat actors: the time between a vulnerability's initial disclosure and the widespread adoption of the patch. Microsoft also tied the exploitation of several zero-day vulnerabilities to the group. Storm-1175's playbook appears to be predicated on speed. Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware , "often within a few days and, in some cases, within 24 hours," according to Microsoft. "The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States," the blog post stated. Related: Axios Attack Shows Complex Social Engineering Is Industrialized The rapid pace of these attacks is the latest example of threat actors outpacing the typical response time for organizations to patch critical flaws. Sherrod DeGrippo, general manager of threat intelligence at Microsoft, tells Dark Reading that given Storm-1175's operational speed, "patches should be prioritized immediately upon release." Storm-1175's Exploitation of N-Days and Zero-Days Microsoft noted that Storm-1175 has rapidly exploited more than a dozen known vulnerabilities or N-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access (PRA). The vulnerability was initially disclosed Feb. 6 and quickly came under attack , with the Cybersecurity and Infrastructure Security Agency (CISA) adding it to the Known Exploited Vulnerabilities (KEV) catalog a week later. Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a public disclosure dispute last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing mass exploitation just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the Patch Tuesday release for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post). Related: Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting Microsoft also connected a few zero-day vulnerabilities to Storm-1175 attacks. The most recent example is CVE-2026-23760, a critical authentication bypass vulnerability in SmarterMail that was exploited by various threat groups , including the China-linked Storm-2603. Additionally, Storm-1175 weaponized CVE-2025-10035, a maximum-severity flaw in GoAnywhere's Managed File Transfer's (MFT) License Servlet. Microsoft noted that both CVEs were exploited about a week before public disclosure. "While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw ," the blog post stated. "These factors may have helped to facilitate subsequent zero-day exploitation activity by Storm-1175, who still primarily leverages N-day vulnerabilities." Security Solutions Tampering Microsoft Threat Intelligence detailed other facets of Storm-1175's campaigns, such as the use of remote monitoring and management (RMM) software for lateral movement, Impacket for credential dumping, and the command-line tool Rclone for data exfiltration. Related: Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations One notable technique that the software giant highlighted was the group's ability to tamper with security solutions, namely Microsoft Defender Antivirus. The blog post noted that the threat actors modified the program's settings stored in Windows' registry, allowing Medusa payloads to execute. Microsoft noted that such tampering requires an attacker to obtain access to highly privileged accounts first, which makes the credential dumping phase of Storm-1175's attack chain very critical. "For this reason, prioritizing alerts related to credential theft activity, which typically indicate an active attacker in the environment, is essential to responding to ransomware signals and preventing attackers from gaining privileged account access," Microsoft Threat Intelligence wrote in the blog post. DeGrippo says the tampering activity prevents the security program from scanning the targeted system's C drive and allowing Medusa payloads to run without any alerts. To mitigate the threat, organizations should enable Windows Defender Antivirus' tamper protection features across the tenant and take advantage of the "DisableLocalAdminMerge" setting, which prevents threat actors from using local administrator privileges to set antivirus exclusions. Additionally, Microsoft recommended that organizations isolate Web-facing systems from the public Internet, and place any servers that must be publicly accessible behind a Web application firewall, proxy server, or DMZ . The company also urged customers to implement Windows' Credential Guard, a security feature that protects credentials stored in process memory. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob Wright Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need More Webinars Editor's Choice Cybersecurity Operations RSAC 2026: AI Dominates, But Community Remains Key to Security RSAC 2026: AI Dominates, But Community Remains Key to Security by Kristina Beek , Rob Wright Apr 2, 2026 Want more Dark Reading stories in your Google search result