Executive Summary
In April 2026, the financially motivated cybercriminal group Storm-1175 launched rapid ransomware attacks targeting healthcare, education, professional services, and finance sectors across Australia, the UK, and the US. Exploiting both zero-day and recently disclosed vulnerabilities, the group moved swiftly from initial access to data exfiltration and deployment of Medusa ransomware, often within 24 hours. Their tactics included creating new user accounts, deploying remote monitoring tools, stealing credentials, and disabling security software to facilitate their operations. (microsoft.com)
This incident underscores the critical need for organizations to promptly patch vulnerabilities and enhance monitoring of web-facing assets. The speed and efficiency of Storm-1175's attacks highlight a growing trend among threat actors to exploit the narrow window between vulnerability disclosure and patch deployment, emphasizing the importance of proactive cybersecurity measures. (darkreading.com)
Why This Matters Now
The rapid exploitation of vulnerabilities by groups like Storm-1175 demonstrates an urgent need for organizations to accelerate their patch management processes and strengthen defenses against swift ransomware attacks. Delays in addressing known vulnerabilities can lead to significant operational disruptions and data breaches.
Attack Path Analysis
Storm-1175 rapidly exploited unpatched, internet-facing systems to gain initial access. They escalated privileges by creating new user accounts and deploying remote monitoring tools. Utilizing these elevated privileges, they moved laterally across the network, deploying additional tools and establishing persistence. The group established command and control channels using legitimate RMM software and web shells. They exfiltrated sensitive data using tools like Rclone before deploying Medusa ransomware to encrypt systems, leading to operational disruption and data extortion.
Kill Chain Progression
Initial Compromise
Description
Storm-1175 exploited unpatched, internet-facing vulnerabilities to gain initial access to target systems.
Related CVEs
CVE-2025-10035
CVSS 9.8A deserialization vulnerability in GoAnywhere MFT's License Servlet allows remote code execution.
Affected Products:
Fortra GoAnywhere MFT – < 7.2.0
Exploit Status:
exploited in the wildCVE-2024-27198
CVSS 9.8An authentication bypass vulnerability in JetBrains TeamCity allows unauthorized administrative actions.
Affected Products:
JetBrains TeamCity – < 2023.11.4
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Phishing
Command and Scripting Interpreter: PowerShell
Windows Management Instrumentation
Boot or Logon Autostart Execution
Impair Defenses: Disable or Modify Tools
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable security patches
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Implement strong authentication mechanisms
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Healthcare organizations face critical ransomware exposure through vulnerable remote access systems, requiring immediate patching of CVEs and enhanced segmentation controls.
Higher Education/Acadamia
Educational institutions vulnerable to high-velocity Medusa ransomware attacks exploiting perimeter vulnerabilities, demanding rapid patch deployment and egress security enforcement.
Financial Services
Financial sector targeted by Storm-1175's expedited ransomware campaigns leveraging zero-day exploits, necessitating enhanced threat detection and credential protection measures.
Computer Software/Engineering
Software companies face elevated risk from TeamCity and file transfer vulnerabilities enabling lateral movement, requiring zero trust segmentation and anomaly detection.
Sources
- Storm-1175 Deploys Medusa Ransomware at 'High Velocity'https://www.darkreading.com/threat-intelligence/storm-1175-medusa-ransomware-high-velocityVerified
- Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operationshttps://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/Verified
- Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerabilityhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/Verified
- CVE-2024-27198 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2024-27198Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited Storm-1175's ability to exploit unpatched systems, escalate privileges, move laterally, establish command and control, exfiltrate data, and deploy ransomware, thereby reducing the attack's overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Implementing Aviatrix CNSF would likely have constrained the attacker's ability to exploit unpatched systems by enforcing strict access controls and monitoring, thereby reducing the likelihood of initial compromise.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely have restricted the attacker's ability to escalate privileges by enforcing least-privilege access and segmenting workloads, thereby limiting unauthorized administrative actions.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely have limited the attacker's lateral movement by monitoring and controlling internal traffic, thereby reducing the spread of malicious activities.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely have detected and constrained unauthorized command and control channels by providing comprehensive monitoring and control across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely have restricted unauthorized data exfiltration by controlling outbound traffic and enforcing strict egress policies.
Aviatrix Zero Trust CNSF would likely have reduced the attack's impact by limiting the spread of ransomware through segmentation and access controls, thereby containing the blast radius.
Impact at a Glance
Affected Business Functions
- Data Management
- File Transfer Operations
Estimated downtime: 14 days
Estimated loss: $500,000
Sensitive corporate data and client information
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of ransomware.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing data exfiltration.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to unusual activities promptly.
- • Utilize Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Regularly update and patch internet-facing systems to close vulnerabilities exploited by attackers.
