Storm-1175 is a dangerous China based hacker group that is targeting hospitals, schools and banks with Medusa ransomware taking down entire networks within 24 hours. Microsoft released this alarming report in April 2026.
The Night Everything Came to an End
Imagine the IT room of a hospital. Everything looks normal on the screens. Nurses are doing their work and doctors are checking the records. And suddenly one after the other all the computers get locked. Files get encrypted. A message comes up saying if you want your data back then pay me.This is not a filmy scene this is the war of Storm-1175 and in April 2026 Microsoft exposed the entire secret of this group.
On April 6, 2026 Microsoft Threat Intelligence published a report that sent shock waves through the cybersecurity world. It detailed a hacker group that operates solely for money yet whose speed and technique have astonished even experts. This group is called Storm-1175 and its not just a name its a complete machine designed to destroy your system.
Who Is Storm-1175? A China Linked Threat Shaking the World
Storm-1175 is a China-based financially motivated cybercriminal group meaning a professional hacker gang working for money. They use Medusa ransomware which works on a Ransomware-as-a-Service (RaaS) model. In simple words just like someone subscribes to SaaS software these hackers use ready-made ransomware. They don’t develop the technology just attack and take profit.
Since 2023 Microsoft has caught this group exploiting more than 16 different software vulnerabilities while Microsoft Exchange, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP GoAnywhere MFT SmarterMail, BeyondTrust. The list is so long that it seems this group has a global software scanner.
Zero-Day Vulnerabilities Exploited Before Developers Can Fix Them
In cybersecurity Zero-Day refers to a vulnerability that hasn’t yet been publicly disclosed which meaning the world doesn’t even know it exists and Storm-1175 has already attacked it. CVE-2026-23760 which existed in the SmarterMail email server was exploited by Storm-1175 a full week before public disclosure. CVE-2025-10035 which existed in GoAnywhere MFT was also exploited before a patch was released.
Mention the SAP NetWeaver vulnerability CVE-2025-31324. SAP issued an advisory on April 24, 2025 and Storm-1175 weaponized that vulnerability just one day later. One day while most companies haven’t even downloaded the patch yet these guys are already inside.
Storm-1175 : 24-Hour Attacks & Double Extortion
The speed of this group is what makes them the most dangerous.According to a Microsoft report Storm-1175 destroys the entire network within just a few days and in many cases and just 24 hours after gaining initial access. It first infiltrates the system and then creates new user accounts deploys web shells and installs RMM tools for persistence, steals credentials and then drops the Medusa ransomware.
Once inside, the group uses PDQ Deployer a legitimate software deployment tool that allows them to silently distribute ransomware across the network. In many cases Group Policy updates are hijacked to deploy ransomware to every machine in the domain at once. They dump credentials from Impact and Mimikatz modify Windows Firewall policies to enable RDP and exclude the entire C: drive to blind Microsoft Defender Antivirus.
In old ransomware attacks, files were encrypted and money was demanded. Storm-1175 and Medusa have gone even further than this. They first steal your data by compressing it with BandZip and uploading it to cloud storage using Rclone and then run the ransomware. This means that even if you restore your system from backup, they still have your data. Now they threaten you that if you do not pay the money they will make the data public on Medusas dedicated leak site.This is double extortion lock on one side and blackmail on the other.
Storm-1175 Targets Hospitals Schools & Banks How to Stay Protected
This group didn’t just attack corporate companies. Microsofts report clearly states that healthcare organizations have been most impacted. Hospitals that have sensitive medical records of patients and schools that have data of millions of students, professional services firms and finance companies are all on this groups radar.
Geographically, these attacks have been most prevalent in Australia the United Kingdom, and the United States. CISA along with the FBI warned in March 2025 that the Medusa ransomware gang had hit more than 300 critical infrastructure organizations in the US.
Microsoft has not only described the threat in the report but also provided solutions. First and foremost thing is to patch internet-facing assets immediately and apply the patch the second the vulnerability is disclosed. VPN and WAF (Web Application Firewall) should be mandatory for public services.
Keep Microsoft Defenders Tamper Protection enabled and use DisableLocalAdminMerge setting so that antivirus exclusions cannot be created with local admin privileges. Monitor unauthorized activity of data sync tools like Rclone and Bandizip as these are clear signs of exfiltration. And the most importantly understand your digital footprint and identify your exposed assets with tools like Microsoft Defender External Attack Surface Management.
More Than a Warning A Preview of the Future Threat Landscape
The story of Storm-1175 isn’t just about one group of hackers; it shows how cybercrime has become a highly organised, professional business. These attackers are very precise in what they do. They buy zero-day flaws from people who sell them. use ransomware on a RaaS model and can turn newly found flaws into weapons in a matter of hours or even minutes.
They don’t care how big or well-known an organization is. They look for weaknesses in all kinds of places on the internet, like government networks, hospitals, banks, schools and small businesses. Any system that is open to the public could be a target.This makes organisations have to think about security in a new way. The question is no longer who would attack us but what weaknesses we have.
Storm-1175 uses speed and stealth to get in and stay there steal credentials and spread ransomware, leaving victims with little time to respond. In a world where attacks are quick, smart and never ending, companies that don’t quickly patch their systems and keep an eye on their attack surface and use layered defences are always at risk. They need to take early action to stay alive.
