.webp)
Microsoft Just Exposed a Ransomware Group That Works Faster Than Your IT Team Can Respond
On April 6, 2026, Microsoft Threat Intelligence published a detailed report on a threat group called Storm-1175. The headline finding: this group can break into your network and deploy Medusa ransomware in less than 24 hours. In many cases, the entire attack - from first foothold to encrypted files and ransom note - wraps up in five to six days. But the fast ones? Done before lunch the next day.
That timeline matters. Most small and mid-sized businesses don't have 24/7 security monitoring. Many don't patch critical vulnerabilities for weeks or months. And Storm-1175 knows it. They specifically target the gap between when a software vulnerability gets publicly disclosed and when organizations actually apply the fix. In at least one case, they exploited a vulnerability within a single day of its disclosure.
This post breaks down how these attacks work, which systems are being targeted, and what you can actually do about it - with specific, actionable steps sized for businesses with 10 to 200 employees.
What Is Medusa Ransomware?
Medusa is a ransomware-as-a-service (RaaS) operation that's been active since 2021. It works like most modern ransomware: attackers break in, steal sensitive data, encrypt your files, and then demand payment. If you don't pay, they threaten to publish the stolen data on a leak site.
What makes Medusa noteworthy right now is the group deploying it. Storm-1175 has turned Medusa deployment into a well-oiled, high-speed operation. According to Bitdefender's April 2026 Threat Debrief, the group claimed 23 ransomware victims in March 2026 alone - more than half their total for the entire year so far, and a significant jump from 2025's pace.
The industries getting hit hardest: healthcare, education, professional services, and finance. The geographic targets are primarily the United States, United Kingdom, and Australia. If your business falls into any of those categories, pay extra attention.
How Storm-1175 Breaks In: The Vulnerability Window
Storm-1175's primary tactic is exploiting known vulnerabilities in internet-facing software. Since 2023, Microsoft has documented the group exploiting over 16 different vulnerabilities across products that many businesses use daily:
- Microsoft Exchange Server - the email platform millions of businesses rely on
- ConnectWise ScreenConnect - a popular remote support tool used by IT providers
- Ivanti Connect Secure - a widely deployed VPN solution
- SimpleHelp - another remote access tool common in small business environments
- GoAnywhere MFT - a managed file transfer platform
- SmarterMail - an email server used by many SMBs
- BeyondTrust - a privileged access management tool
Notice a pattern? These are all tools that sit on the edge of your network, facing the internet. VPNs, email servers, remote access platforms. They're the front door, and Storm-1175 checks every lock.
The group's speed is the real concern. When a vulnerability gets disclosed publicly (meaning the vendor announces it and releases a patch), Storm-1175 races to exploit it before organizations update. Microsoft documented one case where Storm-1175 exploited a vulnerability in SAP NetWeaver just one day after disclosure. They've also used at least three zero-day vulnerabilities - flaws that had no patch available at all when they were exploited.
The Attack Chain: What Happens After They Get In
Understanding the attack sequence helps you spot it if it happens to you. Here's how Storm-1175 typically operates after gaining initial access:
Step 1: Establish a Foothold
After exploiting a vulnerability, the attackers drop a web shell or remote access tool on the compromised server. This gives them persistent access even if you later patch the original vulnerability.
Step 2: Create Backdoor Accounts
They create new user accounts with administrator privileges. These blend in with legitimate admin accounts and give them a way back in if their web shell gets discovered.
Step 3: Install Remote Management Tools
Storm-1175 installs legitimate remote monitoring and management (RMM) tools - the same kind of software IT providers use to manage client networks. Microsoft observed them using AnyDesk, ConnectWise ScreenConnect, Atera, Level RMM, and others. Because these are legitimate tools, they often fly under the radar of antivirus software.
Step 4: Move Laterally
Using built-in Windows tools like PowerShell and PsExec, plus the RMM software they installed, the attackers spread across your network. They've been observed modifying Windows Firewall rules to enable Remote Desktop Protocol (RDP) access between machines - essentially unlocking internal doors as they go.
Step 5: Steal Credentials and Data
Using tools like Mimikatz and Impacket, they harvest usernames and passwords from compromised machines. They also exfiltrate sensitive business data, which becomes leverage for the double-extortion ransom demand.
Step 6: Disable Security and Deploy Ransomware
Before deploying Medusa, Storm-1175 tampers with security solutions. Microsoft observed them configuring Microsoft Defender Antivirus exclusions to prevent detection. They then use PDQ Deployer - a legitimate software deployment tool - to push Medusa ransomware across the entire network simultaneously.
The whole process, start to finish, can happen in under 24 hours.
Why Small Businesses Are Particularly Exposed
You might think a group this sophisticated would only target large enterprises. That's not the case. Here's why SMBs are squarely in the crosshairs:
Slower patch cycles. Enterprise organizations with dedicated security teams can push critical patches within days. Many small businesses wait weeks or months, especially for systems like email servers or VPNs that require maintenance windows and testing. Storm-1175 lives in that gap.
Internet-facing tools without monitoring. A lot of SMBs run email servers, VPNs, and remote access tools that face the internet but lack proper monitoring. Nobody's watching the logs at 2 AM when the initial exploitation happens.
Flat networks. In many small business environments, once an attacker compromises one machine, they can reach everything. There's no network segmentation separating the accounting server from the file server from the domain controller.
RMM tools are already trusted. If your IT provider uses ConnectWise or AnyDesk, your security tools are probably configured to allow those applications. When an attacker installs the same tool, it looks normal.
Practical Steps to Protect Your Business
Here's what actually works against this type of attack, organized by priority and complexity.
Patch Internet-Facing Systems Within 72 Hours
This is the single most impactful thing you can do. When a critical vulnerability is announced for any system that faces the internet - your VPN, email server, remote access tools, file transfer platforms - patch it within 72 hours. Not next month. Not next quarter. This week.
If patching quickly isn't realistic with your current setup, you need to either move those services to cloud-hosted versions (where the vendor handles patching) or work with an IT provider that includes patch management in their service.
Prioritize these categories of software for fast patching:
- VPN appliances and remote access gateways
- Email servers (especially on-premises Exchange)
- Remote monitoring/management tools
- File transfer platforms
- Web application servers
Reduce Your Internet-Facing Attack Surface
Every service you expose to the internet is a potential entry point. Audit what's actually visible from outside your network:
- Do you still need that on-premises Exchange server, or could you migrate to Microsoft 365?
- Is your VPN appliance current generation, or is it an end-of-life model that no longer receives security updates?
- Are remote access tools restricted to specific IP ranges, or can anyone on the internet reach the login page?
Microsoft specifically recommends using tools like Defender External Attack Surface Management to understand your digital footprint. For smaller organizations, even a basic external network security audit can reveal services you didn't realize were exposed.
Implement Network Segmentation
If an attacker gets into one system, they shouldn't be able to reach everything. At minimum:
- Separate servers from workstations using VLANs
- Put internet-facing systems in a DMZ
- Restrict RDP access to only the machines and users that genuinely need it
- Use firewall rules between network segments, not just at the perimeter
This won't prevent a breach, but it slows lateral movement and can limit the damage to a single segment rather than your entire network.
Deploy Endpoint Detection and Response (EDR)
Traditional antivirus isn't enough against attacks like this. Storm-1175 uses legitimate tools (PowerShell, PsExec, RMM software) that standard antivirus won't flag. Endpoint detection and response (EDR) solutions monitor behavior patterns - like a new admin account being created at 3 AM followed by RMM software installation - and can alert or block suspicious activity automatically.
EDR also provides the telemetry needed to investigate an incident after the fact. Without it, you may never know exactly what the attackers accessed or stole.
Monitor for Unauthorized RMM Tools
Storm-1175's heavy use of legitimate RMM tools is a signature tactic. Your IT environment should have a policy: only approved remote access tools are allowed. Everything else gets blocked.
If your IT team uses ConnectWise ScreenConnect, then AnyDesk, Level RMM, and Atera should be blocked at the application control level. Any unexpected RMM tool installation should trigger an immediate alert.
Enforce Multi-Factor Authentication Everywhere
MFA on every account that faces the internet: email, VPN, remote desktop, cloud applications, admin portals. Storm-1175 steals credentials as part of their attack chain. MFA doesn't make credentials worthless, but it adds a significant barrier, especially for initial access attempts.
Pay special attention to admin accounts. If an attacker compromises a regular user account with MFA, the damage is limited. If they compromise a domain admin account without MFA, the game is essentially over.
Maintain Tested, Offline Backups
Ransomware's leverage disappears if you can restore from backup. The key word is "tested." Many businesses discover their backups don't actually work when they need them most.
Your backup and recovery strategy should include:
- At least one copy that's air-gapped or immutable (can't be encrypted by ransomware)
- Regular test restores - monthly at minimum
- Recovery time objectives documented and realistic (how long until you're operational?)
- Backup of cloud services too, not just on-premises servers
Build an Incident Response Plan
When an attack moves this fast, you don't have time to figure out your response in the moment. A basic incident response plan should document:
- Who makes the call to shut down systems (and the authority to do it without committee approval)
- How to isolate compromised machines from the network
- Contact information for your IT provider, cyber insurance carrier, and legal counsel
- Communication templates for employees, customers, and regulators
- A prioritized list of which systems to restore first
The Bigger Picture: Ransomware Is Getting Faster Across the Board
Storm-1175 isn't an outlier. The trend across the ransomware landscape is toward faster attacks. The Hacker News reported that multiple threat groups are now compressing entire attack chains into hours rather than weeks. The days when attackers spent months lurking in a network before deploying ransomware are mostly behind us.
This shift changes the calculus for defenders. Reactive security - waiting for alerts and then investigating - isn't fast enough anymore. You need preventive controls (patching, segmentation, attack surface reduction) combined with automated detection and response that doesn't rely on a human checking email at 2 AM.
For businesses without a dedicated security operations center, managed detection and response services fill this gap by providing 24/7 monitoring with trained analysts who can respond to threats in real time.
What to Do This Week
If this post has you thinking about your own security posture, here are three things you can do in the next five business days:
- Inventory your internet-facing systems. List every service accessible from the internet. Check each one for pending security patches. Apply critical patches immediately.
- Verify your backups. Run a test restore of your most critical system. Time it. If it takes longer than your business can tolerate being down, adjust your backup strategy.
- Check for unauthorized remote access tools. Look at installed software across your servers and workstations. If you find AnyDesk, Atera, or other RMM tools that your IT team didn't install, investigate immediately.
These three steps cost nothing and address the specific tactics Storm-1175 uses. They're worth an afternoon of your time.
FAQ
What is Storm-1175 and why should small businesses care?
Storm-1175 is a threat group tracked by Microsoft that deploys Medusa ransomware. They target internet-facing systems that haven't been patched, which is common in small business environments. Their attacks have hit healthcare, professional services, finance, and education organizations in the US, UK, and Australia. Company size doesn't seem to be a filter for them - unpatched systems are unpatched systems regardless of how many employees you have.
How fast can a Medusa ransomware attack actually happen?
According to Microsoft's April 2026 report, Storm-1175 has completed attacks - from initial breach to full ransomware deployment - in under 24 hours. The typical timeline is five to six days. Either way, that's far faster than most organizations can detect and respond without automated security tools and 24/7 monitoring in place.
Is our business safe if we use cloud-based email instead of on-premises Exchange?
Moving to cloud email eliminates one specific attack vector - on-premises Exchange vulnerabilities - but it doesn't make you safe from ransomware entirely. Storm-1175 targets many types of internet-facing systems including VPNs, remote access tools, and file transfer platforms. Cloud migration is a smart step, but it's one piece of a broader security strategy that should include employee security training, EDR, MFA, and proper backup procedures.
What should we do if we find suspicious remote access software on our systems?
Don't just uninstall it and move on. Unauthorized RMM tools could indicate an active compromise. Disconnect the affected machine from the network, preserve logs, and contact your IT provider or a security professional to investigate. You need to determine how the software got there, what else the attacker may have done, and whether other machines are affected. Treating it as a potential incident rather than a nuisance is the right approach.
We're a small business with limited IT budget. What's the minimum we should do?
Three priorities that deliver the most protection per dollar: (1) Keep internet-facing systems patched within a week of critical updates. (2) Enable MFA on every account - email, VPN, admin portals, everything. (3) Maintain offline or immutable backups with monthly test restores. These three steps address the specific tactics used by groups like Storm-1175 and don't require a large budget. If you want to take it further, an affordable managed cybersecurity service can add 24/7 monitoring and response capabilities.
If you'd like help evaluating your current security posture or putting any of these recommendations in place, reach out to our team. We work with small and mid-sized businesses across Orange County and can help you figure out where you stand and what to prioritize.
