Ethical Hacking News

A New Phase of Ransomware Attacks: The Rise of Storm-1175

A new phase of ransomware attacks has emerged with the rise of Storm-1175, a group known for its lightning-fast exploits and relentless pursuit of financial gain. By targeting exposed systems and moving quickly, they are able to deploy their ransomware payload and achieve their financial goals. In this article, we'll delve into the details of Storm-1175's operations and explore what makes them so effective.

Storm-1175 is a new ransomware group that has been making waves with its lightning-fast exploits and relentless pursuit of financial gain.

The group targets sectors such as healthcare, education, finance, and services across the US, UK, and Australia.

Storm-1175 exploits newly disclosed vulnerabilities in web-facing systems to gain access to exposed networks.

The group has been observed exploiting over 16 vulnerabilities, including zero-day flaws before public disclosure.

They use a combination of exploitation, web shells, remote tools, and legitimate RMM tools to spread across networks and deploy ransomware.

Storm-1175's speed and focus on unpatched systems allow them to deploy their ransomware payload quickly, often within days or hours.

In recent months, a new player has emerged in the ransomware attack scene, leaving a trail of destruction and chaos in its wake. Dubbed as "Storm-1175," this group of attackers has been making waves with its lightning-fast exploits and relentless pursuit of financial gain. As we delve into the details of their operations, it becomes clear that Storm-1175 is no ordinary ransomware crew.

According to recent reports, Storm-1175 has been exploiting newly disclosed vulnerabilities in web-facing systems to gain access to exposed networks. This group targets sectors such as healthcare, education, finance, and services across the US, UK, and Australia, making them a formidable force to be reckoned with. Their modus operandi is straightforward: they quickly move from initial access to data theft and Medusa ransomware deployment, sometimes within 24 hours.

Microsoft researchers have been closely tracking Storm-1175's activities since 2023, when the group first began targeting platforms such as Microsoft Exchange, Ivanti, ConnectWise, JetBrains, and others. Since then, they have observed exploitation of over 16 vulnerabilities, including CVE-2026-1731 (BeyondTrust), CVE-2023-21529 (Microsoft Exchange), CVE-2023-27351 and CVE-2023-27350 (Papercut), CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure), CVE-2024-1709 and CVE-2024-1708 (ConnectWise ScreenConnect), CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity), CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 (SimpleHelp), and CVE-2025-31161 (CrushFTP).

These vulnerabilities are often exploited within days, or even one day, before organizations apply patches. This is where Storm-1175's speed and focus on unpatched systems come into play. By targeting exposed systems and moving quickly, they are able to deploy their ransomware payload and achieve their financial goals.

But what sets Storm-1175 apart from other ransomware groups? According to Microsoft researchers, it's their ability to chain multiple exploits to gain deeper access to systems. They can move laterally using remote tools, steal credentials, and weaken security defenses with ease. Their tactics are highly effective, making them a force to be reckoned with in the world of cybercrime.

The attackers also use zero-day flaws before public disclosure, demonstrating advanced capabilities. By exploiting these vulnerabilities, they are able to bypass traditional security measures and gain access to sensitive data.

In addition to their exploits, Storm-1175 has also been observed using web shells or remote tools to create admin accounts and move laterally within networks. They can deploy ransomware in as little as one day, highlighting their speed and efficiency.

The group's modus operandi is not limited to exploiting vulnerabilities. They also use legitimate RMM tools and software such as PDQ Deployer and Impacket to spread across networks. This allows them to maintain a low profile while still achieving their financial goals.

In conclusion, Storm-1175 is a force to be reckoned with in the world of cybercrime. Their lightning-fast exploits, relentless pursuit of financial gain, and ability to chain multiple exploits make them a formidable opponent for security professionals. As we continue to see the rise of these types of attacks, it's essential that organizations prioritize patching and take proactive measures to protect themselves against these threats.

Related Information:

https://www.ethicalhackingnews.com/articles/A-New-Phase-of-Ransomware-Attacks-The-Rise-of-Storm-1175-ehn.shtml

https://securityaffairs.com/190440/cyber-crime/fast-moving-storm-1175-uses-new-exploits-to-breach-networks-and-drop-medusa.html

https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/

https://www.csoonline.com/article/4154934/microsoft-says-medusa-linked-storm-1175-is-speeding-ransomware-attacks.html

https://nvd.nist.gov/vuln/detail/CVE-2023-21529

https://www.cvedetails.com/cve/CVE-2023-21529/

https://nvd.nist.gov/vuln/detail/CVE-2023-27351

https://www.cvedetails.com/cve/CVE-2023-27351/

https://nvd.nist.gov/vuln/detail/CVE-2023-27350

https://www.cvedetails.com/cve/CVE-2023-27350/

https://nvd.nist.gov/vuln/detail/CVE-2024-21887

https://www.cvedetails.com/cve/CVE-2024-21887/