Ethical Hacking News

Microsoft Links Medusa Ransomware Affiliate to Zero-Day Attacks in High-Velocity Campaigns

Microsoft has linked a financially motivated cybercrime gang known as Storm-1175 to zero-day attacks, further highlighting the increasing sophistication of ransomware campaigns. The group has been exploiting n-day and zero-day vulnerabilities in high-velocity attacks, targeting healthcare organizations, education, professional services, and finance sectors across Australia, the United Kingdom, and the United States.

To stay ahead of these emerging threats, Microsoft emphasizes the importance of staying vigilant against cyber threats and keeping software up-to-date with the latest security patches. By taking proactive steps to protect their networks and systems, organizations can reduce their risk of falling victim to high-velocity ransomware attacks.

Microsoft has linked Storm-1175 to zero-day attacks, highlighting the increasing sophistication of ransomware campaigns.

Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware within a few days or 24 hours.

The group exploits vulnerabilities in various software products, including Microsoft Exchange and Papercut.

CISA issued a joint advisory warning that the Medusa ransomware gang's attacks had impacted over 300 critical infrastructure organizations.

Organizations must maintain robust security measures and stay informed about emerging threats to protect against high-velocity ransomware attacks.

Microsoft has recently linked a financially motivated cybercrime gang known as Storm-1175 to zero-day attacks, further highlighting the increasing sophistication of ransomware campaigns. The group, which has been responsible for deploying Medusa ransomware payloads, has been exploiting n-day and zero-day vulnerabilities in high-velocity attacks.

According to Microsoft, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours. This rapid pace of operation has proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States.

The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have allowed them to chain multiple exploits to gain persistence on compromised systems. This includes creating new user accounts, deploying remote monitoring and management software, stealing credentials, disabling security software, and finally dropping ransomware payloads.

Microsoft has also observed Storm-1175 operators exploiting vulnerabilities in a range of software products, including Microsoft Exchange (CVE-2023-21529), Papercut (CVE-2023-27351 and CVE-2023-27350), Ivanti Connect Secure and Policy Secure (CVE-2023-46805 and CVE-2024-21887), and ConnectWise ScreenConnect (CVE-2024-1709 and CVE-2024-1708). Additionally, the group has exploited vulnerabilities in JetBrains TeamCity (CVE-2024-27198 and CVE-2024-27199), SimpleHelp (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728), CrushFTP (CVE‑2025‑31161), SmarterMail (CVE-2025-52691), and BeyondTrust (CVE-2026-1731).

CISA issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in March 2025, warning that the Medusa ransomware gang's attacks had impacted over 300 critical infrastructure organizations across the United States. In July 2024, Microsoft also linked the Storm-1175 threat group, along with three other cybercrime gangs, to Black Basta and Akira ransomware attacks that exploited a VMware ESXi authentication-bypass flaw.

The recent discovery of Storm-1175's involvement in zero-day attacks highlights the ongoing evolution of ransomware campaigns. As attackers continue to develop new tactics and exploit previously unpatched vulnerabilities, it is essential for organizations to maintain robust security measures and stay informed about emerging threats.

In light of this development, Microsoft has emphasized the importance of staying vigilant against cyber threats and keeping software up-to-date with the latest security patches. By taking proactive steps to protect their networks and systems, organizations can reduce their risk of falling victim to high-velocity ransomware attacks.

The rise of Storm-1175 and its associates serves as a stark reminder of the complex and ever-changing nature of cybersecurity threats. As we move forward in this rapidly evolving landscape, it is crucial that we prioritize awareness, education, and collaboration among organizations, governments, and individuals to combat the growing menace of ransomware attacks.

Related Information:

https://www.ethicalhackingnews.com/articles/Microsoft-Links-Medusa-Ransomware-Affiliate-to-Zero-Day-Attacks-in-High-Velocity-Campaigns-ehn.shtml

https://www.bleepingcomputer.com/news/security/microsoft-links-medusa-ransomware-affiliate-to-zero-day-attacks/

https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/

https://nvd.nist.gov/vuln/detail/CVE-2023-21529

https://www.cvedetails.com/cve/CVE-2023-21529/

https://nvd.nist.gov/vuln/detail/CVE-2023-27351

https://www.cvedetails.com/cve/CVE-2023-27351/

https://nvd.nist.gov/vuln/detail/CVE-2023-27350

https://www.cvedetails.com/cve/CVE-2023-27350/

https://nvd.nist.gov/vuln/detail/CVE-2024-21887

https://www.cvedetails.com/cve/CVE-2024-21887/

https://nvd.nist.gov/vuln/detail/CVE-2024-1709