Microsoft Links Medusa Ransomware Affiliate to Zero-Day and N-Day Exploits in Rapid Attacks

What happened

Microsoft said Storm-1175, a China-based financially motivated threat group known for deploying Medusa ransomware, has been using both zero-day and n-day vulnerabilities in high-velocity attacks. The company said the group rapidly moves from initial access to data exfiltration and ransomware deployment, often within a few days and sometimes within 24 hours. It also said the attackers quickly pivot to newly disclosed flaws, in some cases weaponizing them within a day and, in at least one case, exploiting a flaw more than a week before a patch was released. In recent campaigns, Storm-1175 was observed creating new user accounts, deploying remote monitoring and management tools, stealing credentials, disabling security software, and then dropping Medusa ransomware. 

Who is affected

The direct exposure affects organizations with exposed perimeter systems running software targeted by Storm-1175. Microsoft said recent intrusions heavily impacted healthcare organizations, as well as victims in education, professional services, and finance across Australia, the United Kingdom, and the United States. The group has recently exploited more than 16 vulnerabilities across 10 software products, including GoAnywhere MFT, SmarterMail, Microsoft Exchange, Papercut, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, and BeyondTrust. 

Why CISOs should care

This matters because the group is combining speed, exploit agility, and post-compromise tradecraft in a way that compresses defenders’ response time. Microsoft said Storm-1175 has exploited flaws before patches were released and has also moved quickly on newly disclosed issues, showing a pattern of aggressive perimeter targeting. The activity also reinforces the operational risk of exposed edge systems, especially when attackers can chain multiple exploits, establish persistence, disable defenses, and move to ransomware deployment in a very short window. 

3 practical actions

1. Prioritize exposed perimeter assets: Review and patch internet-facing systems first, especially products and versions associated with the exploit activity described in the report. 
2. Treat rapid exploitation as a live risk: Adjust remediation timelines for newly disclosed flaws where external exposure exists, since Microsoft said the group can weaponize some vulnerabilities within a day. 
3. Hunt for post-exploitation behavior before encryption: Investigate for newly created user accounts, remote management tool deployment, credential theft activity, and attempts to disable security controls, because those steps were part of the observed intrusion chain. 

For more news about ransomware operators and their evolving tradecraft, click Ransomware to read more.