~/home/news/storm-1175-accelerates-medusa-2026-04-14
newsTuesday, April 14, 20268 min read👁 23 views

Storm-1175 Accelerates Medusa Ransomware with Zero-Day Exploits

Storm-1175 is weaponising a chain of zero-day and n-day flaws-including CVE-2026-23760, CVE-2025-10035, and CVE-2026-1731-to deliver Medusa ransomware at unprecedented speed, forcing victims to pay before patches can be applied.

ransomwarezero-dayStorm-1175Medusa

Overview/Introduction

In early April 2026, Microsoft Threat Intelligence disclosed that the financially-motivated cybercrime group Storm-1175 has entered a new phase of ransomware operations. The group is executing "high-velocity" campaigns that combine rapid exploitation of both publicly disclosed (n-day) and undisclosed (zero-day) vulnerabilities with swift data exfiltration and ransomware deployment. The end-game is Medusa ransomware, a payload that encrypts critical data and demands payment within hours, leaving victims with little time to react.

What sets these campaigns apart is the inclusion of three critical flaws that were either undisclosed or disclosed only days before the attacks began:

  • CVE-2026-23760 - an authentication bypass in SmarterMail email servers.
  • CVE-2025-10035 - a high-severity remote code execution (RCE) issue in GoAnywhere Managed File Transfer (MFT).
  • CVE-2026-1731 - a critical RCE vulnerability in BeyondTrust Remote Support and older versions of its Privileged Remote Access (PRA) suite.

By chaining these exploits, Storm-1175 can move from initial foothold to ransomware delivery in under 24 hours, a timeline that outpaces most organisations’ patch management processes.

Technical Details

CVE-2026-23760 - SmarterMail Authentication Bypass

SmarterMail, a popular on-premise and cloud-based email platform, suffered a critical authentication bypass that allowed unauthenticated actors to obtain administrative session tokens. The flaw resides in the Login.aspx endpoint, where the server fails to validate the AuthToken header when a crafted POST request includes a specially-crafted sessionId parameter. Exploitation grants full mailbox access, the ability to create new accounts, and, crucially, the ability to upload malicious DLLs into the WebAdmin directory.

Storm-1175 leverages this bypass to install a web-shell, then uses the shell to pull the Medusa dropper directly from a C2 server. Because the vulnerability is present in versions as recent as 2025.2, many organisations that had not yet applied the emergency patch were vulnerable.

CVE-2025-10035 - GoAnywhere MFT Remote Code Execution

GoAnywhere MFT, used for secure file transfers, contains a deserialization flaw in its TransferJob API. An attacker who can submit a crafted JSON payload to /api/v1/jobs/execute can trigger arbitrary Java deserialization, leading to RCE with SYSTEM privileges on the host. The vulnerability was disclosed publicly on 3 March 2026, but Storm-1175 began exploiting it within 48 hours, as evidenced by network telemetry from compromised organisations.

In practice, the group creates a malicious Java object that loads a base-64-encoded Medusa payload, writes it to the /opt/goanywhere/medusa directory, and registers it as a scheduled task. The rapid exploitation of this flaw demonstrates the group’s capability to monitor vulnerability disclosures and weaponise them in near-real time.

CVE-2026-1731 - BeyondTrust Remote Support RCE

The most alarming of the three is CVE-2026-1731, a critical RCE in BeyondTrust Remote Support (BTRS). The flaw resides in the RemoteControlSession component, where an unauthenticated attacker can send a crafted TCP packet to port 443 that triggers a stack buffer overflow, allowing execution of arbitrary shellcode. The vulnerability also affects older versions of BeyondTrust’s Privileged Remote Access (PRA) suite, a tool widely adopted by SOCs for privileged escalation and remote troubleshooting.

Storm-1175’s playbook shows that they first identify exposed BTRS instances via internet-wide scanning, then deliver a one-shot exploit that drops a PowerShell-based Medusa installer. Because BTRS often runs with elevated privileges, the ransomware inherits SYSTEM rights, enabling it to encrypt network shares, Active Directory-backed file servers, and even domain controllers.

Attack Chain Overview

1. Recon - Internet-wide scans for exposed SmarterMail, GoAnywhere MFT, and BeyondTrust RDS endpoints.
2. Exploitation - Use CVE-2026-23760 (SmarterMail) or CVE-2025-10035 (GoAnywhere) to gain foothold; if remote-support tools are present, use CVE-2026-1731 for privileged code execution.
3. Lateral Movement - Deploy Cobalt Strike beacon or custom backdoor; harvest credentials via LSASS dumping, Mimikatz, or Kerberoasting.
4. Data Exfiltration - Compress and exfiltrate critical files to a 1-pixel image or DNS tunnel within 12 hours.
5. Ransomware Deployment - Drop Medusa payload, encrypt files, and leave a ransom note demanding payment within 48 hours.
6. Extortion - Threaten public release of stolen data if ransom is not paid.

Impact Analysis

The affected product suite spans several critical infrastructure layers:

  • Enterprise Email (SmarterMail) - Compromise can lead to credential theft, phishing campaigns, and full mailbox encryption.
  • Managed File Transfer (GoAnywhere MFT) - RCE enables attackers to hijack file-transfer pipelines, steal intellectual property, and encrypt data in transit.
  • Privileged Remote-Access (BeyondTrust Remote Support) - Provides the highest level of system control; compromise can result in domain-wide ransomware spread.

Healthcare, education, professional services, and finance organisations in Australia, the United Kingdom, and the United States have already reported incidents. The speed of the attacks-often under 24 hours from exploitation to encryption-means that traditional patch-management windows (weekly or monthly) are insufficient. The ransomware’s “high-velocity” nature also pressures victims into paying quickly, as data loss can become irreversible within a single business day.

Timeline of Events

  • 02 Feb 2026 - CVE-2026-1731 disclosed publicly by BeyondTrust.
  • 09 Feb 2026 - CISA adds CVE-2026-1731 to the Known Exploited Vulnerabilities (KEV) catalog.
  • 15 Mar 2026 - CVE-2026-23760 (SmarterMail) disclosed in vendor advisory.
  • 20 Mar 2026 - First observed Medusa ransomware infection leveraging SmarterMail bypass.
  • 03 Mar 2026 - CVE-2025-10035 (GoAnywhere MFT) disclosed.
  • 05 Mar 2026 - Storm-1175 begins exploiting GoAnywhere RCE in the wild.
  • 07 Apr 2026 - Microsoft publishes detailed blog post linking the three exploits to high-velocity Medusa campaigns.
  • 09 Apr 2026 - Several healthcare providers in the US report Medusa encryption on file servers after BTRS compromise.

Mitigation/Recommendations

  • Patch Immediately - Apply vendor-released fixes for CVE-2026-23760, CVE-2025-10035, and CVE-2026-1731 as soon as they become available. Prioritise emergency patching for exposed internet-facing services.
  • Network Segmentation - Isolate email, file-transfer, and privileged-access appliances from the corporate LAN. Use firewalls or zero-trust micro-segmentation to restrict inbound traffic to required IP ranges.
  • Reduce Attack Surface - Disable unused services on SmarterMail and GoAnywhere, enforce strong MFA for admin portals, and limit RDP/Remote-Support ports to VPN-only access.
  • Threat Hunting - Search for indicators of compromise (IOCs) associated with Medusa (e.g., file extensions .medusa, ransom note strings, known C2 domains). Look for suspicious PowerShell commands and scheduled tasks created under SYSTEM.
  • Incident Response Playbooks - Update ransomware response procedures to include high-velocity scenarios: rapid containment, immediate offline backups verification, and pre-approved communication templates for ransom negotiations.
  • Backup Strategy - Implement immutable, air-gapped backups that are refreshed daily. Verify restore capability within 12 hours to counter the accelerated encryption timeline.
  • Vendor Collaboration - Engage with SmarterMail, GoAnywhere, and BeyondTrust support teams for threat-intelligence sharing. Request indicators of compromise and any out-of-band mitigations.

Real-World Impact

The convergence of zero-day exploitation and ransomware delivery is reshaping the threat landscape. Organisations that relied on “patch-later” strategies now face a situation where a vulnerability can be weaponised before a patch exists. The rapid encryption of critical data forces executives to make payment decisions under duress, often without the luxury of consulting legal or insurance teams.

Beyond the immediate financial loss, the breach of privileged-access tools like BeyondTrust can undermine the trust in remote-support services, leading to broader operational disruptions. In the healthcare sector, encrypted patient records can halt treatment, trigger regulatory penalties under HIPAA, and damage reputation irrevocably.

Expert Opinion

From a strategic standpoint, Storm-1175 is demonstrating a sophisticated “vulnerability-to-ransomware” pipeline that mirrors the tactics of nation-state actors, albeit for profit. Their focus on privileged-access and file-transfer solutions indicates an understanding that compromising these services provides both lateral movement and high-value data exfiltration pathways.

For the industry, this signals a shift toward pre-emptive threat hunting and continuous vulnerability monitoring. Traditional patch cycles are no longer sufficient; organisations must adopt a “patch-as-you-go” model, leveraging automated tools that ingest vendor advisories and apply critical fixes within hours.

Moreover, the rapid adoption of zero-day exploits underscores the need for robust zero-trust architectures. Even if a vulnerability is patched, an attacker who has already gained a foothold can bypass network controls. Implementing strict identity verification, least-privilege access, and micro-segmentation will limit the blast radius of any successful exploit.

Finally, the Medusa ransomware’s high-velocity approach forces a reevaluation of ransomware insurance policies. Insurers will likely demand proof of rapid patching, immutable backups, and documented incident-response capabilities before underwriting coverage.

In short, Storm-1175’s campaign is a wake-up call: the window between vulnerability disclosure and exploitation is shrinking dramatically, and the only defence is a proactive, layered security posture.