Microsoft says Medusa-linked Storm-1175 is speeding ransomware attacks

Microsoft has warned that Storm-1175, a cybercrime group linked to Medusa ransomware, is exploiting vulnerable web-facing systems in fast-moving attacks, at times moving from initial access to data theft and ransomware deployment within 24 hours. The company said the group has heavily targeted organizations in healthcare, education, professional services, and finance across Australia, the UK, and the US, showing how quickly ransomware affiliates can exploit exposed perimeter systems before defenders patch or even spot the breach. Microsoft also said Storm-1175 has, in some cases, used zero-day flaws before they were publicly disclosed. “While the threat actor typically uses N-day vulnerabilities, we have also observed Storm-1175 leveraging zero-day exploits, in some cases a full week before public vulnerability disclosure,” Microsoft said in a blog post. “The threat actor has also been observed chaining together multiple exploits to enable post-compromise activity.” Microsoft said the group has exploited more than 16 vulnerabilities across widely used enterprise products since 2023 and, in several cases, chained exploits to establish persistence, steal credentials, tamper with security tools, and speed ransomware deployment. “What we’re seeing here is the death of the traditional ‘dwell time’ narrative,” said Sakshi Grover , senior research manager for security services at IDC Asia Pacific. “This is no longer about attackers sitting quietly in the network. It is about speed and disciplined execution. Storm-1175 is operating like a well-oiled pipeline. Initial access, escalation, lateral movement, exfiltration, and ransomware deployment, all compressed into a day. Most enterprises are simply not built for that pace.” Grover said the bigger weakness for many organizations is not detection but response. She said many companies still take too long to isolate affected systems and revoke access, which gives attackers more time to move through networks before teams can contain them. Cybersecurity analyst Sunil Varkey said the shift to faster ransomware operations means traditional detection-and-response models that assume multi-day or week-long dwell times are no longer sufficient, especially when companies remain slow to patch internet-exposed assets and contain lateral movement after initial access. “The most effective response is a proactive strategy centered on aggressive attack surface reduction, prioritizing rapid remediation of vulnerabilities and misconfigurations on all web-facing and critical systems, combined with strong network segmentation and isolation,” Varkey said. Where enterprises lag Many enterprises still lack a real-time view of what is exposed to the internet, said Sanchit Vir Gogia , chief analyst at Greyhound Research. He called this a basic weakness in how companies manage cyber risk. “The way attack surface management is run today still reflects an older mindset,” Gogia said. “Discover assets, scan them, prioritize issues, schedule fixes. It is orderly and logical, but not fast enough. Environments are changing all the time. Systems are spun up for projects, opened to the internet for convenience, and then left behind. Over time, these become invisible to central teams, even though they remain visible to attackers.” Gogia said the problem is compounded by fragmented ownership. Internet-facing systems often cut across different teams, blurring accountability and slowing the response when risks emerge. Storm-1175 appears to be exploiting exactly that gap. Its rapid shifts between vulnerabilities and use of chained exploits suggest attackers are taking advantage of enterprises that lack an up-to-date view of their external exposure. Keith Prabhu , founder and CEO of Confidis, said the widespread use of open-source libraries and other components that need constant tracking and patching makes the job even harder. “A smart attacker like Storm-1175 can quickly fingerprint such systems and develop custom attacks chaining multiple exploits,” Prabhu said. “Efficient patch management of this complex technology stack is the biggest weakness in enterprise attack surface management today, especially for internet-exposed systems.”