Microsoft Threat Intelligence has detailed Storm-1175, a financially motivated cybercrime group deploying Medusa ransomware through high-velocity campaigns. The group exploits both n-day and zero-day vulnerabilities, often completing the full attack chain from initial exploitation to ransomware delivery within 24 hours. Targeted sectors include healthcare, education, finance, and professional services across Australia, the UK, and the US. Storm-1175 uses RMM tools for lateral movement, Impacket for credential dumping, and Rclone for data exfiltration. A notable tactic involves tampering with Microsoft Defender Antivirus registry settings to allow Medusa payloads to execute undetected. Microsoft recommends enabling tamper protection, isolating web-facing systems, implementing Credential Guard, and prioritizing patches immediately upon release.
Sort: