TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Threat Intelligence

Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations

Microsoft Threat Intelligence · 2026-04-06 · Read original ↗

ATT&CK techniques detected

27 predictions
T1219Remote Access Tools
99%
“and psexec, followed by the use of cloudflare tunnels ( renamed to mimic legitimate binaries like conhost. exe ) to move laterally over remote desktop protocol ( rdp ) and deliver payloads to new devices. if rdp is not allowed in the environment, storm - 1175 has been observed us…”
T1003.001LSASS Memory
98%
“to turn on wdigest credential caching, or using task manager to dump lsass credentials ; for both of these attack techniques, the threat actor must obtain local administrative privileges to modify these resources. the attack surface reduction rule block credential stealing from l…”
T1190Exploit Public-Facing Application
98%
“day exploits, in some cases a full week before public vulnerability disclosure. the threat actor has also been observed chaining together multiple exploits to enable post - compromise activity. after initial access, storm - 1175 establishes persistence by creating new user accoun…”
T1190Exploit Public-Facing Application
98%
“##60 ( smartermail ) cve - 2026 - 1731 ( beyondtrust ) storm - 1175 rotates exploits quickly during the time between disclosure and patch availability or adoption, taking advantage of the period where many organizations remain unprotected. in some cases, storm - 1175 has weaponiz…”
T1190Exploit Public-Facing Application
97%
“##lnerabilities to obtain initial access. since 2023, microsoft threat intelligence has observed exploitation of over 16 vulnerabilities, including : cve - 2023 - 21529 ( microsoft exchange ) cve - 2023 - 27351 and cve - 2023 - 27350 ( papercut ) cve - 2023 - 46805 and cve - 2024…”
T1486Data Encrypted for Impact
97%
“to set antivirus exclusions. data exfiltration and ransomware deployment like other ransomware as a service ( raas ) offerings, medusa offers a leak site to facilitate double extortion operations for its affiliates : attackers not only encrypt data, but steal the data and hold it…”
T1588.006Vulnerabilities
91%
“storm - 1175 focuses gaze on vulnerable web - facing assets in high - tempo medusa ransomware operations the financially motivated cybercriminal actor tracked by microsoft threat intelligence as storm - 1175 operates high - velocity ransomware campaigns that weaponize n - days, t…”
T1190Exploit Public-Facing Application
77%
“storm - 1175 focuses gaze on vulnerable web - facing assets in high - tempo medusa ransomware operations the financially motivated cybercriminal actor tracked by microsoft threat intelligence as storm - 1175 operates high - velocity ransomware campaigns that weaponize n - days, t…”
T1003.001LSASS Memory
77%
“1175 relies on pdq deployer, a legitimate software deployment tool that lets system administrators silently install applications, for both lateral movement and payload delivery, including ransomware deployment throughout the network. additionally, storm - 1175 has leveraged impac…”
T1003.001LSASS Memory
66%
“used highly privileged access to create a group policy update to broadly deploy ransomware. mitigation and protection guidance to defend against storm - 1175 ttps and similar activity, microsoft recommends the following mitigation measures : use a perimeter scanning tool like mic…”
T1003OS Credential Dumping
58%
“1175 relies on pdq deployer, a legitimate software deployment tool that lets system administrators silently install applications, for both lateral movement and payload delivery, including ransomware deployment throughout the network. additionally, storm - 1175 has leveraged impac…”
T1537Transfer Data to Cloud Account
57%
“to set antivirus exclusions. data exfiltration and ransomware deployment like other ransomware as a service ( raas ) offerings, medusa offers a leak site to facilitate double extortion operations for its affiliates : attackers not only encrypt data, but steal the data and hold it…”
T1003.004LSA Secrets
54%
“a critical security feature that protects credentials stored in process memory – in the lsa process lsass. exe. credential guard is turned on by default in windows 11. however, if credential guard was previously disabled on a device, updating a device to windows 11 does not overr…”
T1685Disable or Modify Tools
44%
“1175 access to the security account manager ( sam ), which provides detailed configuration and security settings, enabling an attacker to understand and manipulate the system environment on a much wider scale. security tampering for ransomware delivery storm - 1175 modifies the m…”
T1486Data Encrypted for Impact
44%
“1175 access to the security account manager ( sam ), which provides detailed configuration and security settings, enabling an attacker to understand and manipulate the system environment on a much wider scale. security tampering for ransomware delivery storm - 1175 modifies the m…”
T1072Software Deployment Tools
42%
“1175 relies on pdq deployer, a legitimate software deployment tool that lets system administrators silently install applications, for both lateral movement and payload delivery, including ransomware deployment throughout the network. additionally, storm - 1175 has leveraged impac…”
T1219.002Remote Desktop Software
42%
“and psexec, followed by the use of cloudflare tunnels ( renamed to mimic legitimate binaries like conhost. exe ) to move laterally over remote desktop protocol ( rdp ) and deliver payloads to new devices. if rdp is not allowed in the environment, storm - 1175 has been observed us…”
T1679Selective Exclusion
42%
“1175 access to the security account manager ( sam ), which provides detailed configuration and security settings, enabling an attacker to understand and manipulate the system environment on a much wider scale. security tampering for ransomware delivery storm - 1175 modifies the m…”
T1003.001LSASS Memory
40%
“a critical security feature that protects credentials stored in process memory – in the lsa process lsass. exe. credential guard is turned on by default in windows 11. however, if credential guard was previously disabled on a device, updating a device to windows 11 does not overr…”
T1003.001LSASS Memory
36%
“security authority subsystem ( lsass. exe ) block execution of potentially obfuscated scripts block webshell creation for servers block process creations originating from psexec and wmi commands ( some organizations might experience compatibility issues with this rule on certain …”
T1190Exploit Public-Facing Application
36%
“attackers with decompilers strike again ( smartertools smartermail wt - 2026 - 0001 auth bypass ) owassrf : crowdstrike identifies new exploit method for exchange bypassing proxynotshell mitigations learn more for the latest security research from the microsoft threat intelligenc…”
T1588.006Vulnerabilities
36%
“##2 ‑ 41082 to achieve remote code execution. storm - 1175 has also demonstrated a capability for targeting linux systems as well : in late 2024, microsoft threat intelligence identified the exploitation of vulnerable oracle weblogic instances across multiple organizations, thoug…”
T1531Account Access Removal
35%
“1175 access to the security account manager ( sam ), which provides detailed configuration and security settings, enabling an attacker to understand and manipulate the system environment on a much wider scale. security tampering for ransomware delivery storm - 1175 modifies the m…”
T1059.001PowerShell
33%
“security authority subsystem ( lsass. exe ) block execution of potentially obfuscated scripts block webshell creation for servers block process creations originating from psexec and wmi commands ( some organizations might experience compatibility issues with this rule on certain …”
T1048Exfiltration Over Alternative Protocol
33%
“to set antivirus exclusions. data exfiltration and ransomware deployment like other ransomware as a service ( raas ) offerings, medusa offers a leak site to facilitate double extortion operations for its affiliates : attackers not only encrypt data, but steal the data and hold it…”
T1485Data Destruction
33%
“to set antivirus exclusions. data exfiltration and ransomware deployment like other ransomware as a service ( raas ) offerings, medusa offers a leak site to facilitate double extortion operations for its affiliates : attackers not only encrypt data, but steal the data and hold it…”
T1190Exploit Public-Facing Application
31%
“##2 ‑ 41082 to achieve remote code execution. storm - 1175 has also demonstrated a capability for targeting linux systems as well : in late 2024, microsoft threat intelligence identified the exploitation of vulnerable oracle weblogic instances across multiple organizations, thoug…”

Summary

The financially motivated cybercriminal threat actor Storm-1175 operates high-velocity ransomware campaigns that weaponize recently disclosed vulnerabilities to obtain initial access, exfiltrate data, and deploy Medusa ransomware.

The post Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations appeared first on Microsoft Security Blog.