Storm-1175: China-Linked Medusa Ransomware in 24 Hours

Published April 8, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

Microsoft has linked China-based Storm-1175 to Medusa ransomware campaigns exploiting 16+ vulnerabilities across 10 software products, with full deployment in under 24 hours. Two zero-days in GoAnywhere MFT and SmarterMail were weaponized before patches existed. Healthcare, education, and finance are the primary targets.

Bottom Line: Audit all internet-facing instances of the 10 named software products immediately and compress patch cycles to days, not weeks.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
▾

Algeria’s healthcare digitization push and expanding internet-facing government services use many of the same software products targeted by Storm-1175 (Exchange, Ivanti, ConnectWise). Patch cycles in Algerian organizations are typically slower than the 24-hour exploitation window.

Infrastructure Ready?
No
▾

Most Algerian organizations lack dedicated SOC teams, automated patch management, and network segmentation needed to defend against this speed of attack. CERT.dz exists but coverage is limited.

Skills Available?
Limited
▾

Algeria has a small but growing cybersecurity workforce. However, incident response capabilities for ransomware at nation-state speed are virtually nonexistent outside a handful of large institutions.

Action Timeline
Immediate
▾

Organizations running any of the 10 targeted software products should verify patch status today. The vulnerability window Storm-1175 exploits is measured in days, not months.

Key Stakeholders
CERT.dz, Ministry of Health IT directors, Algerian bank CISOs, university IT administrators, Sonatrach and Sonelgaz security teams, managed service providers.

Decision Type
Tactical
▾

This requires immediate defensive action: audit web-facing assets, accelerate patching for the named products, monitor for RMM tool misuse, and establish exfiltration detection for Rclone-like traffic patterns.

Quick Take: Storm-1175’s playbook of exploiting the patch-to-deployment gap is especially dangerous for Algerian organizations, where patch cycles often stretch weeks or months. Any institution running Exchange, Ivanti, ConnectWise, or GoAnywhere MFT should treat this as an immediate priority and compress patching timelines to days, not weeks.

A Ransomware Affiliate Operating at Nation-State Speed

On April 6, 2026, Microsoft’s Threat Intelligence team published a detailed technical blog exposing Storm-1175, a financially motivated threat actor based in China that has been operating as a Medusa ransomware affiliate since at least 2023. What distinguishes Storm-1175 from the typical ransomware crew is not just who they are, but how fast they move: from initial network compromise to full ransomware deployment in as little as 24 hours.

The disclosure arrives less than a year after the FBI, CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory in March 2025 warning that Medusa ransomware had already impacted over 300 critical infrastructure organizations across the United States. Storm-1175’s identification adds a state-linked dimension to what was already one of the most aggressive ransomware operations in the current threat landscape.

The Storm-1175 Playbook

Storm-1175 operates with a consistent and alarmingly efficient methodology. The group targets web-facing assets during the critical window between vulnerability disclosure and widespread patch adoption, a period when many organizations remain exposed.

Since 2023, Microsoft has observed Storm-1175 exploit over 16 vulnerabilities spanning 10 different software products. The targets read like a cross-section of enterprise IT infrastructure: Microsoft Exchange (CVE-2023-21529), PaperCut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, SmarterMail, BeyondTrust, and GoAnywhere Managed File Transfer.

The group rotates exploits rapidly, adopting new vulnerability chains as fast as they become available. This operational tempo means that Storm-1175 does not depend on any single exploit for long. When one vulnerability gets patched, they move to the next, maintaining a constant pipeline of entry vectors.

Two Zero-Days, Two Critical Failures

The most alarming element of Storm-1175’s operations is their use of zero-day exploits, vulnerabilities weaponized before vendors even know they exist.

CVE-2025-10035, a maximum-severity flaw in GoAnywhere’s Managed File Transfer platform, was exploited by Storm-1175 approximately one week before it was publicly disclosed and patched. GoAnywhere MFT is widely used in healthcare, finance, and government for secure file transfers, making this zero-day particularly dangerous for organizations handling sensitive data.

CVE-2026-23760, a critical authentication bypass vulnerability in SmarterTools’ SmarterMail, was similarly exploited about a week before public disclosure. Authentication bypass flaws are among the most devastating vulnerability types because they allow attackers to log into systems as legitimate users, bypassing all access controls.

The use of zero-day exploits by a financially motivated ransomware affiliate represents a significant escalation. Zero-day development or acquisition requires substantial resources and technical sophistication, capabilities traditionally associated with state-sponsored espionage groups rather than criminal ransomware operators. Storm-1175’s access to these exploits raises questions about the relationship between China’s intelligence apparatus and its cybercriminal ecosystem.

From Breach to Ransomware in Hours

Once Storm-1175 gains initial access, the group follows a methodical post-exploitation sequence designed for speed.

Persistence establishment. The attackers create new user accounts on compromised systems, ensuring they maintain access even if the initial vulnerability is patched. They also deploy web shells, providing a persistent backdoor through the web server.

Lateral movement. Storm-1175 installs legitimate remote monitoring and management (RMM) software to move across the network. By using commercially available tools rather than custom malware, the group’s activity blends with legitimate IT operations, making detection significantly harder.

Credential theft. The group harvests credentials from compromised systems, enabling them to escalate privileges and access additional network segments. Stolen credentials also allow movement to systems that may not be directly vulnerable to the initial exploit.

Security evasion. Before deploying ransomware, Storm-1175 actively interferes with security solutions, disabling endpoint detection tools and antivirus software to ensure the ransomware payload executes without interruption.

Data exfiltration. The group uses Bandizip for file collection and Rclone for data exfiltration, synchronizing stolen files to attacker-controlled cloud storage. This exfiltrated data becomes leverage for Medusa’s double extortion model: pay the ransom or the data gets published.

Ransomware deployment. Finally, Medusa ransomware is deployed, encrypting systems across the victim’s network. In the most aggressive cases, the entire sequence from initial access to ransomware deployment completes within 24 hours.

Healthcare in the Crosshairs

Storm-1175’s targeting profile is heavily weighted toward sectors where data sensitivity and operational urgency create maximum pressure to pay. Healthcare organizations are the primary targets, followed by education, professional services, and finance. Geographically, the attacks concentrate on Australia, the United Kingdom, and the United States.

The healthcare focus is particularly concerning. Hospitals and healthcare systems cannot afford extended downtime; encrypted medical records, disabled imaging systems, and locked-out electronic health records can directly endanger patient lives. This operational urgency makes healthcare organizations more likely to pay ransoms quickly, which is precisely why threat actors target them.

The March 2025 CISA advisory noted that Medusa had already impacted medical, education, legal, insurance, technology, and manufacturing sectors. FBI investigations also uncovered evidence of potential triple extortion: after one victim paid the ransom, a separate Medusa actor claimed the negotiator had stolen the payment and demanded half the amount again for the “true decryptor.”

The Ransomware-as-a-Service Ecosystem

Medusa operates as a ransomware-as-a-service (RaaS) platform, first identified in June 2021. Under this model, Medusa’s developers provide the ransomware toolkit, infrastructure, and negotiation services, while affiliates like Storm-1175 handle the actual intrusions and deployments.

This business model is what makes Storm-1175’s China connection significant. The RaaS ecosystem allows actors with different motivations, whether financial, strategic, or intelligence-driven, to share infrastructure and tactics. A China-based affiliate operating within a global ransomware platform blurs the already hazy line between state-sponsored operations and criminal enterprises.

The arrangement benefits both parties. Storm-1175 gains access to a mature ransomware platform with established extortion infrastructure. Medusa’s operators gain an affiliate with access to zero-day exploits and the operational discipline to execute attacks at nation-state speed.

Defensive Priorities

Microsoft’s disclosure provides specific technical indicators that security teams should act on immediately.

Patch management acceleration. Storm-1175’s entire model depends on exploiting the gap between disclosure and patching. Organizations must compress their patch cycles for internet-facing assets, particularly for the 10 software products identified in the Microsoft report.

Web-facing asset inventory. The group specifically targets exposed perimeter systems. Organizations need complete visibility into their internet-facing attack surface, including forgotten or shadow IT systems that may be running vulnerable software.

RMM tool monitoring. Storm-1175’s use of legitimate remote management tools for lateral movement means that detection cannot rely solely on malware signatures. Security teams must monitor for unauthorized RMM installations and anomalous remote access patterns.

Exfiltration detection. The group’s use of Rclone for data theft creates detectable network patterns. Monitoring for unexpected large-volume transfers to cloud storage services, particularly from file servers and database systems, can provide early warning.

Credential hygiene. Implementing phishing-resistant multi-factor authentication, monitoring for credential reuse, and deploying privileged access management can limit Storm-1175’s ability to escalate privileges after initial access.

The speed and sophistication of Storm-1175’s operations make one thing clear: the traditional patch-when-convenient approach to vulnerability management is no longer viable against adversaries who can move from zero-day to ransomware deployment in under 24 hours.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

What makes Storm-1175 different from typical ransomware groups?

Storm-1175 combines the speed and technical sophistication of a state-sponsored threat actor with the financial motivation of a criminal ransomware operation. The group exploits zero-day vulnerabilities (flaws weaponized before patches exist), rotates through 16+ exploits across 10 products, and can move from initial breach to full ransomware deployment in under 24 hours. Most ransomware groups take days or weeks to complete this cycle.

How does the Medusa ransomware-as-a-service model work?

Medusa operates as a platform where developers build and maintain the ransomware toolkit, extortion infrastructure, and negotiation services, while affiliates like Storm-1175 handle the actual intrusions. Affiliates gain access to proven ransomware technology; the platform operators gain affiliates with specialized access and capabilities. This division of labor allows groups with different motivations and skill sets to collaborate efficiently.

What immediate steps should organizations take to defend against Storm-1175?

Three priorities: First, audit and patch all internet-facing instances of the 10 software products named in Microsoft’s report (Exchange, PaperCut, Ivanti, ConnectWise, TeamCity, SimpleHelp, CrushFTP, SmarterMail, BeyondTrust, GoAnywhere MFT). Second, monitor for unauthorized installations of remote management tools, which Storm-1175 uses for lateral movement. Third, deploy detection rules for Rclone and Bandizip data exfiltration patterns, which provide early warning before ransomware deployment.