• Home
  • cyber
  • SAP: Storm-1175 Deploys Medusa Ransomware Within 24 Hours of Flaw Disclosure
cyber Ransomware

SAP: Storm-1175 Deploys Medusa Ransomware Within 24 Hours of Flaw Disclosure

Apr 25, 2025 2 min read
SAP: Storm-1175 Deploys Medusa Ransomware Within 24 Hours of Flaw Disclosure

Storm-1175 Hackers Exploit N-Day Vulnerabilities at Record Speed, Deploying Medusa Ransomware Globally

A cybercriminal group tracked by Microsoft Threat Intelligence as Storm-1175 is wreaking havoc worldwide by rapidly exploiting unpatched vulnerabilities to deploy Medusa ransomware. Specializing in targeting perimeter assets systems directly exposed to the internet the group capitalizes on the critical window between a security flaw’s disclosure and an organization’s patch deployment.

Blitzkrieg Tactics: Exploits in Under 24 Hours

Storm-1175 operates with alarming efficiency, often compromising networks within hours of a vulnerability’s public disclosure. In one recent attack, the group exploited CVE-2025-31324, a flaw in SAP NetWeaver, just one day after its April 24, 2025, announcement. The campaign has disrupted schools, law firms, and hospitals across the UK, US, and Australia.

Since 2023, the group has weaponized over 16 vulnerabilities, including high-profile flaws in PaperCut (CVE-2023-27351) and JetBrains TeamCity (CVE-2024-27198). Notably, Storm-1175 has also demonstrated zero-day exploitation, as seen in its early 2026 attack on SmarterMail (CVE-2026-23760), where it struck a full week before the vulnerability was publicly known.

Stealthy Lateral Movement & Defense Evasion

Once inside a network, Storm-1175 leverages legitimate remote management tools like AnyDesk, ConnectWise ScreenConnect, and PDQ Deployer to move undetected. The group uses Rclone and Bandizip to exfiltrate data before deploying ransomware across entire systems.

A key tactic involves disabling security defenses by manipulating antivirus exclusions adding the C:\ drive to an exclusion path to prevent detection. This allows the ransomware to execute unimpeded, crippling critical infrastructure.

A New Era of Cyber Threats

Security experts warn that Storm-1175’s speed and precision mark a dangerous evolution in cybercrime. Unlike opportunistic groups like MedusaLocker, which rely on brute-force attacks, Storm-1175 employs a deliberate, multi-stage playbook, chaining exploits and abusing trusted tools to maximize damage.

The group’s ability to operationalize vulnerabilities within hours sometimes before patches are available highlights a growing gap between attacker agility and traditional security defenses. Organizations with slow patching cycles or static security assessments are particularly vulnerable to these high-speed, high-impact attacks.

Source: https://hackread.com/storm-1175-hackers-24-hour-medusa-ransomware-flaw/

SAP Community cybersecurity rating report: https://www.rankiteo.com/company/sap-community-official

"id": "SAP1775665752",
"linkid": "sap-community-official",
"type": "Ransomware",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Education', 'Legal', 'Healthcare'],
                        'location': ['UK', 'US', 'Australia'],
                        'type': ['Schools', 'Law firms', 'Hospitals']}],
 'attack_vector': ['Exploitation of unpatched vulnerabilities',
                   'Perimeter assets exposed to the internet'],
 'data_breach': {'data_encryption': True, 'data_exfiltration': True},
 'description': 'A cybercriminal group tracked as Storm-1175 is rapidly '
                'exploiting unpatched vulnerabilities to deploy Medusa '
                'ransomware, targeting perimeter assets exposed to the '
                'internet. The group operates with alarming efficiency, often '
                'compromising networks within hours of a vulnerability’s '
                'public disclosure, disrupting schools, law firms, and '
                'hospitals across the UK, US, and Australia.',
 'impact': {'data_compromised': True,
            'operational_impact': 'Crippling critical infrastructure',
            'systems_affected': 'Critical infrastructure, schools, law firms, '
                                'hospitals'},
 'initial_access_broker': {'entry_point': 'Exploitation of unpatched '
                                          'vulnerabilities in perimeter '
                                          'assets'},
 'motivation': 'Financial gain (ransomware)',
 'post_incident_analysis': {'root_causes': ['Slow patching cycles',
                                            'Static security assessments',
                                            'Exposure of perimeter assets to '
                                            'the internet']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'Medusa'},
 'references': [{'source': 'Microsoft Threat Intelligence'}],
 'threat_actor': 'Storm-1175',
 'title': 'Storm-1175 Hackers Exploit N-Day Vulnerabilities at Record Speed, '
          'Deploying Medusa Ransomware Globally',
 'type': 'Ransomware',
 'vulnerability_exploited': ['CVE-2025-31324 (SAP NetWeaver)',
                             'CVE-2023-27351 (PaperCut)',
                             'CVE-2024-27198 (JetBrains TeamCity)',
                             'CVE-2026-23760 (SmarterMail)']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.