What is the Attack? Microsoft Threat Intelligence has identified Storm-1175, a financially motivated threat actor conducting high-tempo ransomware operations leveraging the Medusa ransomware variant. The group specializes in rapidly exploiting vulnerable web-facing systems, often weaponizing newly disclosed vulnerabilities (N-days) and even zero-days before public disclosure. Storm-1175 | Medusa ransomware operations | Microsoft Security Blog A defining characteristic of this campaign is speed; attackers can move from initial access to full ransomware deployment within 24 hours, significantly reducing detection and response windows. • Observed targeting includes: Healthcare Education Financial services Professional services • Primary regions impacted: United States United Kingdom Australia What is the recommended Mitigation? • Patch immediately: Prioritize newly disclosed vulnerabilities affecting internet-facing systems • Reduce attack surface: Restrict or isolate exposed services and admin interfaces • Monitor RMM usage: Detect abnormal use of tools like AnyDesk, ScreenConnect, or similar • Harden identity security: Enforce MFA and monitor for anomalous account creation • Enhance detection: Focus on early indicators such as unusual authentication, privilege escalation, and data movement What FortiGuard Coverage is available? • FortiGuard IPS Service: Detects and blocks exploit attempts targeting vulnerable web-facing assets. • FortiGuard Antivirus & Behavior Detection: Identifies Medusa ransomware and suspicious post-exploitation activity. • FortiGuard Labs Threat Intelligence: Continuously tracks Storm-1175 activity, emerging CVEs, and IOCs. • FortiGuard Incident Response: Provides rapid containment, forensic investigation, and recovery support for impacted organizations.