Introduction
Ransomware cyberattacks represent one of the most concrete threats today for organizations across every sector, from healthcare services to educational institutions. When a criminal group manages to exploit unpatched vulnerabilities in enterprise software, the consequences can be swift and devastating. This is what emerges from a recent Microsoft analysis that tracked the activities of a group known as Storm-1175.
What happened
Microsoft Threat Intelligence has linked Storm-1175, a China-based criminal group with primarily financial motivations, to a series of ransomware campaigns conducted with unusual speed. The group operates as an affiliate of Medusa, a well-known ransomware program used by multiple criminal actors.
Storm-1175 exploited so-called “zero-day” and “n-day” vulnerabilities — security flaws in widely used software. Specifically, applications such as SmarterMail and GoAnywhere MFT were targeted, tools used by many organizations to manage email and secure file transfers.
The attacks targeted systems directly exposed to the Internet — reachable from the outside without particular obstacles — across sectors such as healthcare, education, professional services, and finance. The identified countries involved are Australia, the United Kingdom, and the United States.
The most concerning element is the speed: from initial system access to data exfiltration and ransomware deployment, the group often completed the entire attack chain within just 24 hours. An extremely short timeframe that leaves very little room for targeted organizations to respond.
Why it matters
The speed at which Storm-1175 operates makes it particularly difficult for companies to detect the intrusion in time to stop it. Once the ransomware is deployed, files are encrypted and data is stolen: at that point, the organization faces a dual pressure — restoring its systems and preventing the publication of the stolen data.
Sectors such as healthcare and education are particularly sensitive targets, as they handle personal information and often have limited resources for cybersecurity.
What companies and users can do
The first priority is to promptly apply security updates to software in use, especially those exposed to the Internet. Organizations should verify they are not running vulnerable versions of the products mentioned in the report and contact their technology vendors for specific guidance. Having active monitoring systems that flag anomalous behavior can make all the difference in the crucial minutes or hours.
Final takeaways
- Storm-1175 is an active criminal group affiliated with Medusa ransomware, capable of completing an attack in less than 24 hours by exploiting vulnerabilities in common software.
- The healthcare, education, financial, and professional services sectors in Australia, the United Kingdom, and the United States have been identified as primary targets.
- Keeping Internet-facing software updated and actively monitoring your own systems remains the most effective and immediate defense.
Sources:
https://www.bleepingcomputer.com/news/security/microsoft-links-medusa-ransomware-affiliate-to-zero-day-attacks/
https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
Source: Original article