A China-linked threat actor tracked as Storm-1175 is running high-velocity ransomware campaigns against internet-facing systems across healthcare, education, professional services, and finance organizations in Australia, the United Kingdom, and the United States. Microsoft Threat Intelligence published its findings on April 6, 2026, detailing how the group weaponizes recently disclosed vulnerabilities at exceptional speed to deploy Medusa ransomware, often within 24 hours of gaining initial access.
Speed Is the Weapon
Storm-1175’s defining characteristic is its operational tempo. The group systematically targets the window between vulnerability disclosure and patch adoption, exploiting newly published flaws before most organizations have had time to apply fixes. In one documented case, the group exploited CVE-2025-31324 in SAP NetWeaver the day after it was publicly disclosed. Microsoft has observed Storm-1175 exploiting more than 16 vulnerabilities since 2023 across products including Microsoft Exchange, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, and BeyondTrust.
The group has also demonstrated zero-day capability. Both CVE-2025-10035 in Fortra GoAnywhere MFT and CVE-2026-23760 in SmarterTools SmarterMail were exploited by Storm-1175 a full week before public disclosure, indicating either independent vulnerability research or access to exploit broker resources.
From Foothold to Ransomware in Under 24 Hours
Once inside a network, Storm-1175 moves quickly. The group establishes persistence by creating new administrator accounts, then deploys a rotation of remote monitoring and management tools including AnyDesk, SimpleHelp, MeshAgent, ConnectWise ScreenConnect, and Atera for lateral movement and command-and-control. Cloudflare tunnels renamed to mimic legitimate binaries like conhost.exe are used to move laterally over RDP. Where RDP is blocked, the group modifies Windows Firewall policies directly to enable it.
Credential theft follows using Impacket and Mimikatz, with privileged access then used to reach domain controllers and extract the NTDS.dit Active Directory database for offline cracking. Storm-1175 has also been observed recovering passwords from Veeam backup software to expand access to connected systems. Before dropping the ransomware payload, the group tampers with Microsoft Defender Antivirus by modifying registry settings and adding C:\ to antivirus exclusion paths to prevent detection.
Data exfiltration precedes encryption. Storm-1175 uses Bandizip to stage collected files and Rclone to transfer them to attacker-controlled cloud infrastructure, enabling double extortion via Medusa’s leak site. The ransomware itself is typically deployed network-wide using PDQ Deployer or, in some cases, via a malicious Group Policy update.
Healthcare Takes the Hardest Hit
Microsoft specifically called out healthcare as the most heavily impacted sector in recent Storm-1175 intrusions. The combination of high-value patient data, aging perimeter infrastructure, and pressure to maintain uptime makes healthcare organizations particularly attractive targets for ransomware groups operating at this tempo. Education and professional services organizations have also faced significant impact across the three targeted countries.
Mitigation
Microsoft recommends organizations prioritize patching internet-facing systems immediately upon disclosure, deploy web application firewalls or reverse proxies in front of public-facing servers, enable tamper protection to prevent antivirus modification, and implement attack surface reduction rules targeting credential theft and lateral movement via PsExec and WMI. The full technical breakdown, IOC list, and Microsoft Defender detection guidance is available in Microsoft’s published report.
