The 24-Hour Blitz: Storm-1175 Weaponizes Zero-Days for High-Velocity Ransomware

A new report from Microsoft Threat Intelligence has exposured on Storm-1175, a financially motivated threat actor that has mastered the art of the high-velocity strike. By weaponizing newly disclosed vulnerabilities before organizations can patch them, this group can move from initial breach to full-scale ransomware deployment in less than a day.

Storm-1175’s success is built on speed. The group specifically targets vulnerable, web-facing systems during the critical period between a vulnerability’s public disclosure and its widespread patching. While they typically rely on “N-day” vulnerabilities, they aren’t afraid to use even fresher tools.

As Microsoft researchers observed:

“While the threat actor typically uses N-day vulnerabilities, we have also observed Storm-1175 leveraging zero-day exploits, in some cases a full week before public vulnerability disclosure.”

This aggressive approach has allowed the group to hit high-value targets across the healthcare, education, and finance sectors in the United States, United Kingdom, and Australia.

Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including:

• CVE-2023-21529 (Microsoft Exchange)
• CVE-2023-27351 and CVE-2023-27350 (Papercut)
• CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure)
• CVE-2024-1709 and CVE-2024-1708 (ConnectWise ScreenConnect)
• CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity)
• CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 (SimpleHelp)
• CVE‑2025‑31161 (CrushFTP)
• CVE-2025-10035 (GoAnywhere MFT)
• CVE-2025-52691 and CVE-2026-23760 (SmarterMail)
• CVE-2026-1731 (BeyondTrust)

Once Storm-1175 gains a foothold, they don’t linger. The group follows a highly optimized execution chain designed to exfiltrate data and lock down systems before defenders can react. In many cases, the entire lifecycle of the attack—from first entry to the appearance of a ransom note—occurs within 24 to 72 hours.

The attack follows a rapid progression:

• Initial Access: Exploiting unpatched perimeter assets or chaining multiple vulnerabilities.
• Persistence & Movement: Creating new user accounts and deploying remote monitoring and management (RMM) software to move laterally through the network.
• Defense Evasion: Using local administrator privileges to set antivirus exclusions, effectively “blinding” security solutions.

Storm-1175 is a primary affiliate for Medusa ransomware. Like other modern Ransomware-as-a-Service (RaaS) operations, they utilize a “double extortion” model. They don’t just encrypt the victim’s files; they steal them first and threaten to release them on a dedicated leak site.

To handle the massive amount of data being stolen, the group uses professional-grade synchronization tools like Rclone. These tools allow for “continuous exfiltration throughout all stages of the attack without needing attacker interaction.”

When it comes time to pull the trigger, Storm-1175 often uses PDQ Deployer to launch a script (RunFileCopy.cmd) that distributes the Medusa payload across the network. In more advanced cases, they have been seen using hijacked administrative privileges to create a Group Policy update, deploying the ransomware to every machine in the domain simultaneously.

The velocity of these campaigns makes traditional reactive security insufficient. Microsoft highlights that defenders must focus on proactive hardening to break the Storm-1175 attack chain:

1. Rapid Patching: Prioritize web-facing assets as soon as security updates are released.
2. Tamper Protection: Combine tamper protection with the Disable LocalAdminMerge setting. This “prevents attackers from using local administrator privileges to set antivirus exclusions,” stopping them from creating a safe haven for their payloads.
3. Monitor Data Sync Tools: Flag the unauthorized use of data synchronization tools like Rclone or compression utilities like Bandizip, which are staples of the group’s exfiltration process.