Microsoft researchers say the threat cluster tracked as Storm-1175 is carrying out fast-moving ransomware intrusions by exploiting newly disclosed vulnerabilities before organizations can patch them. The activity is notable for its speed: in some cases, the group has moved from initial access to data theft and Medusa ransomware deployment within 24 hours.

According to the report, Storm-1175 focuses on exposed, internet-facing systems and uses that foothold to progress quickly through a network. Microsoft says the group has been observed targeting organizations in healthcare, education, finance, and services across the US, UK, and Australia. Its campaigns are financially motivated and designed to maximize impact before defenders can react.

Rapid exploitation of newly disclosed flaws

Microsoft states that Storm-1175 rapidly weaponizes recently disclosed vulnerabilities to obtain initial access. Since 2023, the group has exploited more than 16 vulnerabilities across a range of platforms, including Microsoft Exchange, Ivanti, ConnectWise, JetBrains, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust.

The report says the threat actor often acts within days of disclosure, and sometimes as quickly as one day, before patches are widely applied. In some cases, the group has also used zero-day flaws before public disclosure, indicating advanced capability and close attention to newly emerging attack surface opportunities.

How Storm-1175 expands access inside victim networks

After gaining entry, Storm-1175 does not stop at a single compromised host. Microsoft says the group chains multiple exploits when needed to obtain deeper access, including remote code execution in some intrusions. The attackers have targeted both Windows and Linux environments.

Once inside, the group installs web shells or remote tools, creates administrative accounts, and moves laterally across the environment. Microsoft says Storm-1175 has used tools and techniques such as PowerShell, PsExec, RDP, Cloudflare tunnels, PDQ Deployer, and Impacket to spread through networks.

• Initial access through newly disclosed vulnerabilities
• Web shells or remote tools for persistence
• New admin accounts for privileged control
• Lateral movement with PowerShell, PsExec, RDP, and tunnels
• Credential theft using Impacket and Mimikatz
• Data theft before ransomware deployment

Credential theft, defense tampering, and data exfiltration

The report describes a post-compromise workflow focused on privilege escalation, credential theft, and defensive evasion. Microsoft says the attackers target LSASS and use Mimikatz and Impacket to steal credentials. The group has also enabled WDigest caching to capture passwords and extracted credentials from backups after obtaining admin access.

Storm-1175 then pivots to domain controllers to access Active Directory and system data. Microsoft reports that the group weakens security by modifying Microsoft Defender Antivirus settings in the registry and adding exclusions so ransomware can run without being blocked. The attackers also use Rclone and file compression to steal data from the environment before the final ransomware step.

Microsoft emphasizes that the Defender changes require highly privileged access. The company says that prioritizing alerts tied to credential theft is critical because those alerts can indicate an active attacker already operating in the environment and attempting to gain the privileges needed for ransomware deployment.

Medusa ransomware deployed with speed

After completing reconnaissance, credential theft, lateral movement, and exfiltration, Storm-1175 deploys Medusa ransomware across the network. Microsoft says this can be done through tools such as PDQ Deployer or Group Policy, allowing the attackers to encrypt systems quickly once they have established control.

The speed of these operations is a defining feature of the campaign. Microsoft says the group can move from access to ransomware deployment in as little as one day, making unpatched systems especially vulnerable. The report also notes that Microsoft has provided indicators of compromise along with mitigation and protection guidance.

What defenders should take from the report

The underlying cause of these attacks is not a single product failure, but the combination of exposed systems, delayed patching, and rapid exploitation of newly disclosed vulnerabilities. Microsoft’s findings show that the window between disclosure and real-world abuse can be very short, leaving little time for organizations to respond if they are not already prepared.

For defenders, the report reinforces the need to watch for credential theft activity, monitor for unusual account creation and lateral movement, and respond quickly to alerts involving web-facing systems. Microsoft’s guidance also highlights the importance of reducing the opportunities attackers have to disable protections or move quietly through a network.

Storm-1175’s campaigns show how quickly a threat actor can turn a fresh vulnerability into a full ransomware incident. With rapid patching, strong monitoring, and attention to early credential-theft signals, organizations can reduce the chance of a fast compromise.