A fast-moving cybercriminal group identified as Storm-1175 has been deploying Medusa ransomware attacks within hours of vulnerability disclosures, targeting organizations across healthcare and education sectors in the United Kingdom, the United States, and Australia, according to Microsoft researchers.
Exploiting Vulnerabilities Within Hours
Researchers said the group has significantly reduced the time between vulnerability disclosure and active exploitation, often completing attacks in as little as 24 hours. Storm-1175 focuses on N-day vulnerabilities, which are publicly known security flaws that have yet to be patched by affected systems.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
In a recent case involving a SAP NetWeaver system, tracked as CVE-2025-31324, the flaw was disclosed on April 24, 2025. By April 25, attackers were already using it to launch Medusa ransomware operations. The rapid pace of exploitation has led to disruptions across schools, law firms, and hospitals in multiple countries.
Microsoft noted that the group targets vulnerable perimeter systems that connect corporate networks directly to the public internet and have not yet received security updates.
Tools and Techniques Behind the Attacks
Further investigation found that Storm-1175 has exploited more than 16 different vulnerabilities since 2023, including flaws in software such as Papercut and JetBrains TeamCity. Researchers also observed the use of zero-day exploits, including an attack on a service called SmarterMail in early 2026, reportedly carried out before the vulnerability was publicly known.
Once inside a network, the group uses commonly available tools such as AnyDesk and ConnectWise ScreenConnect to move laterally without detection. It also deploys PDQ Deployer to spread ransomware across systems, while tools like Rclone and Bandizip are used to package and exfiltrate data.
Escalating Threat and Defensive Challenges
Storm-1175 has demonstrated the ability to bypass security controls by modifying antivirus settings. After gaining access, attackers use elevated permissions to exclude specific system drives from antivirus scanning, allowing ransomware to operate without interruption.
Security experts warn that the group’s speed and coordination represent a shift in cyberattack methods, with operations progressing from initial access to data exfiltration within hours rather than days. The activity highlights a growing gap between the pace of attackers and the ability of organizations to validate and update their defenses.
Experts have advised businesses to accelerate patching processes and adopt security features such as tamper protection to prevent attackers from disabling antivirus systems. The findings underscore the need for continuous monitoring and real-time validation of defenses to counter increasingly rapid ransomware campaigns.
