What happened?
This month, Microsoft Threat Intelligence reported that a financially motivated threat actor, tracked as Storm-1175, is conducting high-velocity ransomware campaigns (progression from initial access to ransomware deployment can occur within 24 hours) targeting internet-facing enterprise systems. The activity was identified through Microsoft’s ongoing threat monitoring and incident response investigations.
The group focuses on exploiting recently disclosed vulnerabilities during the period between public disclosure and patch adoption, often progressing from initial access to data exfiltration and Medusa ransomware deployment within a short timeframe. These include vulnerabilities across commonly used enterprise platforms, such as Microsoft Exchange, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, CrushFTP, and SmarterMail. This highlights a consistent focus on widely deployed, internet-facing technologies.
Following initial access, typically through exploitation of web-facing systems, the group establishes persistence by creating new user accounts and deploying remote management tools to move laterally across the network. Credential theft techniques are then used to expand access, while security controls may be weakened or disabled.
Before deploying ransomware, attackers often exfiltrate sensitive data, enabling double extortion where organisations may face both operational disruption and the risk of data exposure via leak sites associated with the Medusa ransomware operation.
Recent activity has impacted organisations across healthcare, education, professional services, and finance sectors in regions including the United States, United Kingdom, and Australia.
So what?
Storm-1175’s activity reflects a broader trend in ransomware operations: the rapid exploitation of recently disclosed vulnerabilities in internet-facing systems. This approach reduces the time available for organisations to respond and increases the importance of timely vulnerability management.
The focus on externally exposed systems, such as remote access services, file transfer platforms, and email infrastructure, is deliberate. These systems are accessible by design and often critical to business operations, making them a consistent entry point when not properly secured or updated.
The combination of data exfiltration and ransomware deployment increases the potential business impact. Organisations may experience operational disruption, financial loss, and reputational damage if sensitive data is accessed or publicly disclosed.
There are also regulatory considerations. Under frameworks such as the UK GDPR and EU GDPR, organisations are typically required to assess and report certain breaches within defined timeframes, often within 72 hours of becoming aware of an incident.
This activity does not represent a fundamentally new technique, but rather a refinement of established ransomware tactics, with a clear emphasis on speed and efficiency. For organisations, this increases the importance of maintaining visibility over internet-facing assets and ensuring that critical updates are applied promptly, as delays can directly increase exposure to risk.
What should I do?
The most effective mitigation is to ensure that all internet-facing systems are identified, regularly reviewed, and updated as part of standard patch management processes. Organisations should begin by assessing their exposure, including identifying any externally accessible systems and confirming whether they are fully up to date.
Where immediate patching is not possible, organisations should reduce exposure by limiting direct internet access. This can include placing systems behind secure access controls such as VPNs, restricting access to trusted networks, or using protective layers such as web application firewalls (WAFs) or reverse proxy services.
Basic security practices remain highly effective against this type of activity:
- Keep systems up to date: Apply security updates promptly, particularly for externally exposed services.
- Limit unnecessary access: Only expose systems to the internet where required.
- Use multi-factor authentication (MFA): Especially for remote access and administrative accounts.
- Monitor for unusual activity: Look for unexpected account creation, login behaviour, or large data transfers.
- Maintain regular backups: Ensure backups are secure and recoverable.
For organisations using Microsoft security tools, Microsoft Defender External Attack Surface Management can be used to continuously discover and map their digital attack surface.
From a governance perspective, organisations should ensure that incident response processes are documented and understood, including responsibilities for regulatory reporting where required. Staff should also be encouraged to report unusual system behaviour promptly, as early detection remains critical.
Questions to consider internally:
- Do we have visibility of all internet-facing systems?
- Are critical systems patched within acceptable timeframes?
- Are remote access and administrative accounts protected with MFA?
- Do we have monitoring in place to detect unusual activity early?
Indicators of Compromise (IoCs)
| Type |
Indicator |
Description |
| Hash |
0cefeb6210b7103fd32b996beff518c9b6e1691a97bb1cda7f5fb57905c4be96
|
Gaze.exe (Medusa Ransomware)
|
| Hash |
9632d7e4a87ec12fdd05ed3532f7564526016b78972b2cd49a610354d672523c
|
lsp.exe (Rclone)
|
| Hash |
e57ba1a4e323094ca9d747bfb3304bd12f3ea3be5e2ee785a3e656c3ab1e8086 |
main.exe (SimpleHelp)
|
| Hash |
5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19 |
moon.exe (SimpleHelp)
|
| IP |
185.135.86[.]149
|
SimpleHelp C2
|
| IP |
134.195.91[.]224
|
SimpleHelp C2
|
| IP |
85.155.186[.]121
|
SimpleHelp C2
|