Rapid Exploitation Window. Storm-1175 Uses Zero-Days to Deploy Ransomware Within Hours
A China-linked threat actor tracked as Storm-1175 has been observed exploiting both zero-day and recently disclosed vulnerabilities to gain rapid access to internet-facing systems and deploy Medusa ransomware.
According to Microsoft Threat Intelligence, the group operates at high speed, with some intrusions progressing from initial access to ransomware deployment within 24 hours.
What Happened
Storm-1175 targets exposed perimeter systems using a mix of:
- zero-day vulnerabilities (before public disclosure)
- newly disclosed vulnerabilities before patch adoption
- chained exploits for post-compromise activity
The group has impacted organizations across:
- healthcare
- education
- finance
- professional services
in regions including the United States, United Kingdom, and Australia.
How the Attacks Work
The attack sequence follows a rapid and structured flow.
After gaining initial access, the threat actor:
- establishes persistence through new accounts and web shells
- uses legitimate tools (RMM software) for lateral movement
- performs credential theft
- disables or interferes with security controls
- exfiltrates data
- deploys Medusa ransomware
In several observed cases, this entire process completes within days, or even hours.
Exploited Vulnerabilities
Since 2023, Storm-1175 has been linked to the exploitation of multiple vulnerabilities across widely used systems, including:
- Microsoft Exchange
- Ivanti Connect Secure
- ConnectWise ScreenConnect
- JetBrains TeamCity
- CrushFTP
- GoAnywhere MFT
- SmarterMail
- BeyondTrust
Some vulnerabilities were exploited as zero-days before public disclosure.
Techniques Observed
The campaign relies heavily on combining existing tools with targeted exploitation.
Observed techniques include:
- use of LOLBins such as PowerShell and PsExec
- lateral movement with Impacket
- deployment via PDQ Deployer
- credential dumping using Mimikatz
- firewall modifications to enable RDP
- data exfiltration using Rclone
- archive staging with Bandizip
RMM tools such as AnyDesk and Atera were also used to blend malicious activity into normal operations.
Why This Matters
This is not a new vulnerability problem.
It is a timing problem.
Three key observations:
1. The window between disclosure and exploitation is shrinking
Attackers move before patching is complete.
2. Speed defines impact
The difference between hours and days determines containment.
3. Legitimate tools reduce visibility
Much of the activity appears operational, not malicious.
DIAMATIX Perspective
This case reflects a consistent pattern.
Attackers operate in the gap between disclosure and patching.
This gap exists in every environment.
The challenge is not identifying vulnerabilities.
It is responding fast enough.
From an operational standpoint:
- exposed perimeter systems must be continuously monitored
- patch visibility must be aligned with asset visibility
- abnormal use of administrative tools must be detected early
- response workflows must operate within hours, not days
Ransomware is no longer the final stage.
It is the result of everything that happens before it.
Conclusion
Storm-1175 demonstrates how speed and coordination define modern ransomware operations.
Organizations are not only challenged by vulnerabilities, but by the time it takes to act on them.
Reducing that time is the difference between exposure and containment.
Sources
Microsoft Threat Intelligence. Storm-1175 activity analysis
