Storm-1175: China-Based Cybercrime Group Exploits Zero-Days in High-Speed Ransomware Attacks
Microsoft has identified Storm-1175, a financially motivated cybercriminal group based in China, as the force behind a series of high-velocity ransomware attacks leveraging zero-day and n-day exploits. The group, known for deploying Medusa ransomware, rapidly weaponizes newly disclosed vulnerabilities sometimes within 24 hours of discovery and, in some cases, a week before patches are released.
Storm-1175’s attacks follow a streamlined playbook: initial access via unpatched flaws, followed by credential theft, security tool disablement, and ransomware deployment often within days. The group has targeted organizations in healthcare, education, professional services, and finance, with significant impacts in the U.S., U.K., and Australia.
Recent campaigns have exploited over 16 vulnerabilities across 10 software products, including:
- Microsoft Exchange (CVE-2023-21529)
- PaperCut (CVE-2023-27351, CVE-2023-27350)
- Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887)
- ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708)
- JetBrains TeamCity (CVE-2024-27198, CVE-2024-27199)
- SmarterMail (CVE-2026-23760, CVE-2025-52691)
- GoAnywhere MFT (CVE-2025-10035)
In October 2024, Microsoft reported Storm-1175 exploiting CVE-2025-10035 (GoAnywhere MFT) before a patch was available. The group has also chained exploits to create persistence, deploy remote monitoring tools, and exfiltrate data before encrypting systems.
A March 2025 advisory from CISA, the FBI, and MS-ISAC warned that Medusa ransomware attacks had compromised over 300 U.S. critical infrastructure organizations. Microsoft previously linked Storm-1175 to Black Basta and Akira ransomware campaigns exploiting a VMware ESXi flaw in July 2024.
The group’s rapid exploitation of zero-days suggests either advanced in-house capabilities or access to exploit brokers, though many attacks still rely on known (n-day) vulnerabilities. Their tactics highlight the growing threat of high-speed, financially driven cybercrime operations.
VMware cybersecurity rating report: https://www.rankiteo.com/company/vmware
Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence
PaperCut Software cybersecurity rating report: https://www.rankiteo.com/company/papercut-software
Ivanti cybersecurity rating report: https://www.rankiteo.com/company/ivanti
"id": "VMWMICPAPIVA1775500095",
"linkid": "vmware, microsoft-threat-intelligence, papercut-software, ivanti",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['healthcare',
'education',
'professional services',
'finance'],
'location': ['U.S.', 'U.K.', 'Australia'],
'type': ['healthcare',
'education',
'professional services',
'finance']}],
'attack_vector': ['zero-day exploits',
'n-day exploits',
'unpatched vulnerabilities'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_publicly_disclosed': '2024-10',
'description': 'Microsoft has identified Storm-1175, a financially motivated '
'cybercriminal group based in China, as the force behind a '
'series of high-velocity ransomware attacks leveraging '
'zero-day and n-day exploits. The group deploys Medusa '
'ransomware and rapidly weaponizes newly disclosed '
'vulnerabilities, sometimes within 24 hours of discovery and '
'before patches are released. Storm-1175’s attacks follow a '
'streamlined playbook: initial access via unpatched flaws, '
'credential theft, security tool disablement, and ransomware '
'deployment within days. The group has targeted organizations '
'in healthcare, education, professional services, and finance, '
'with significant impacts in the U.S., U.K., and Australia.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': 'ransomware deployment leading to system '
'encryption and disruption',
'systems_affected': ['Microsoft Exchange',
'PaperCut',
'Ivanti Connect Secure',
'ConnectWise ScreenConnect',
'JetBrains TeamCity',
'SmarterMail',
'GoAnywhere MFT']},
'lessons_learned': 'The rapid exploitation of zero-day and n-day '
'vulnerabilities highlights the growing threat of '
'high-speed, financially driven cybercrime operations. '
'Organizations must prioritize patch management and '
'proactive threat detection to mitigate such risks.',
'motivation': 'financial gain',
'post_incident_analysis': {'root_causes': ['unpatched vulnerabilities',
'rapid exploitation of zero-days '
'and n-days']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Medusa'},
'recommendations': ['Prioritize patch management for critical '
'vulnerabilities.',
'Implement proactive threat detection and monitoring.',
'Enhance security tool resilience to prevent disablement.',
'Segment networks to limit lateral movement.',
'Prepare incident response plans for rapid containment '
'and recovery.'],
'references': [{'source': 'Microsoft'},
{'source': 'CISA, FBI, MS-ISAC Advisory (March 2025)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA',
'FBI',
'MS-ISAC']},
'threat_actor': 'Storm-1175',
'title': 'Storm-1175: China-Based Cybercrime Group Exploits Zero-Days in '
'High-Speed Ransomware Attacks',
'type': ['ransomware', 'data exfiltration'],
'vulnerability_exploited': ['CVE-2023-21529 (Microsoft Exchange)',
'CVE-2023-27351 (PaperCut)',
'CVE-2023-27350 (PaperCut)',
'CVE-2023-46805 (Ivanti Connect Secure)',
'CVE-2024-21887 (Ivanti Connect Secure)',
'CVE-2024-1709 (ConnectWise ScreenConnect)',
'CVE-2024-1708 (ConnectWise ScreenConnect)',
'CVE-2024-27198 (JetBrains TeamCity)',
'CVE-2024-27199 (JetBrains TeamCity)',
'CVE-2026-23760 (SmarterMail)',
'CVE-2025-52691 (SmarterMail)',
'CVE-2025-10035 (GoAnywhere MFT)']}