Back to Intelligence

Storm-1175 and Medusa Ransomware: Defending Against Rapid Exploitation of New Vulnerabilities

SA
Security Arsenal Team
April 8, 2026
6 min read

A financially motivated threat actor tracked as Storm-1175 (originating from China) is actively leveraging newly disclosed security vulnerabilities to compromise networks at alarming speeds. Unlike traditional actors who dwell in networks for months, Storm-1175 operates with a "smash-and-grab" methodology: breach an exposed system, immediately move laterally, steal sensitive data, and deploy the Medusa ransomware payload.

The urgency for defenders cannot be overstated. This group capitalizes on the window of time between a vulnerability disclosure (CVE release) and an organization's ability to patch. If you manage internet-facing infrastructure—specifically VPNs, firewalls, or public-facing services—you are currently in the crosshairs.

Technical Analysis

Threat Actor Profile

  • Name: Storm-1175
  • Origin: China-based
  • Motivation: Financial (Ransomware-as-a-Service operations)
  • TTPs: Exploitation of N-day (newly disclosed) vulnerabilities, rapid lateral movement, data exfiltration, encryption.

Attack Chain & Malware

  1. Initial Access: Storm-1175 scans for and exploits recently disclosed vulnerabilities in internet-facing assets. While the specific CVE varies based on the latest available zero-day or N-day, the pattern is consistent: they weaponize flaws before organizations can apply patches.
  2. Lateral Movement: Upon gaining a foothold, the actor utilizes native tools and remote administration protocols (such as RDP, SMB, or WMI) to spread through the network.
  3. Impact: The group deploys Medusa, a ransomware variant known for fast encryption speeds. Medusa typically deletes Volume Shadow Copies to prevent recovery and drops a ransom note (README[...].txt) in affected directories.

Affected Systems

While the entry point varies based on the specific unpatched software, the Medusa payload targets Windows environments. The primary risk vector is any exposed, unpatched service accessible from the internet.

Exploitation Status

  • Status: Confirmed Active Exploitation
  • Trend: Rising exploitation of "new" security issues (N-days) immediately following disclosure.

Detection & Response

Given the speed of this actor, detection must focus on the behaviors occurring immediately post-exploitation: the disabling of recovery mechanisms and the execution of the Medusa payload.

Sigma Rules

YAML
---
title: Medusa Ransomware - VSS Shadow Copy Deletion
id: 92e1d2a3-4b5c-6d7e-8f9a-1b2c3d4e5f6a
status: experimental
description: Detects the deletion of Volume Shadow Copies which is a common step for Medusa and other ransomware to prevent recovery.
references:
 - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2025/04/16
tags:
 - attack.impact
 - attack.t1490
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith: '\vssadmin.exe'
   CommandLine|contains: 'delete shadows'
 condition: selection
falsepositives:
 - System administrators performing maintenance (rare)
level: high
---
title: Medusa Ransomware - Note File Creation
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects the creation of README.txt files which Medusa uses as ransom notes. Highly indicative when found in user directories or network shares.
references:
 - Internal Threat Research
author: Security Arsenal
date: 2025/04/16
tags:
 - attack.impact
 - attack.t1486
logsource:
 category: file_create
 product: windows
detection:
 selection:
   TargetFilename|contains: '\README'
   TargetFilename|endswith: '.txt'
 condition: selection
falsepositives:
 - Legitimate software installation or documentation creation
level: medium
---
title: Medusa Ransomware - Suspicious Process Execution
id: 7g8h9i0j-1k2l-3m4n-5o6p-7q8r9s0t1u2v
status: experimental
description: Detects execution of typical Medusa ransomware process names or binaries spawned from unusual locations.
references:
 - https://www.mandiant.com/resources/blog/medusa-ransomware
author: Security Arsenal
date: 2025/04/16
tags:
 - attack.execution
 - attack.t1059
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith:
     - '\medusa.exe'
     - '\rundll32.exe' # Often used for DLL side-loading
   CommandLine|contains:
     - '-encrypt'
     - '-lock'
 condition: selection
falsepositives:
 - None expected for 'medusa.exe'
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Medusa Ransomware Indicators
// 1. VSS Deletion
let VSSDeletion =
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "vssadmin.exe"
| where ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadows"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath;
// 2. Ransom Note Creation
let RansomNote =
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName startswith "README" and FileName endswith ".txt"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath;
// 3. High volume file changes (potential encryption)
let FileEncryption =
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType == "FileCreated"
| where FileName endswith ".medusa" // Known extension used sometimes
| summarize count() by DeviceName, bin(Timestamp, 5m)
| where count_ > 50;
// Union results
union VSSDeletion, RansomNote

Velociraptor VQL

VQL — Velociraptor
-- Hunt for Medusa Ransomware Notes and VSS Deletion Artifacts
SELECT 
  FullPath, 
  Size, 
  Mtime, 
  Mode.String as Mode,
  Data.Data as ContentPreview
FROM glob(globs="/*RE*.txt", root="/")
WHERE Mtime > now() - 7d

-- Check for vssadmin execution in recent process logs
SELECT Pid, Name, CommandLine, Exe
FROM pslist()
WHERE Name =~ "vssadmin.exe" 
   AND CommandLine =~ "delete"
   AND Exe =~ "vssadmin.exe"

Remediation Script (PowerShell)

PowerShell
# Medusa / Storm-1175 Response Script
# Run as Administrator on potentially affected endpoints

Write-Host "[+] Starting Medusa Ransomware Hunt and Hardening..." -ForegroundColor Cyan

# 1. Scan for Ransom Notes in User Profiles
Write-Host "[!] Scanning for README*.txt ransom notes..." -ForegroundColor Yellow
$notes = Get-ChildItem -Path C:\Users\ -Recurse -Filter "README*.txt" -ErrorAction SilentlyContinue
if ($notes) {
    foreach ($note in $notes) {
        Write-Host "[!!] FOUND RANSOM NOTE: $($note.FullName)" -ForegroundColor Red
        # Log to event log for SIEM correlation
        Write-EventLog -LogName Application -Source "SecurityArsenal" -EntryType Error -EventId 9999 -Message "Medusa Ransom Note Found: $($note.FullName)"
    }
} else {
    Write-Host "[+] No ransom notes found." -ForegroundColor Green
}

# 2. Verify VSS Service Status (Often disabled by Medusa)
Write-Host "[!] Checking Volume Shadow Copy Service..." -ForegroundColor Yellow
$vssService = Get-Service -Name VSS -ErrorAction SilentlyContinue
if ($vssService.Status -ne "Running") {
    Write-Host "[!!] WARNING: VSS Service is not running. Attempting to start..." -ForegroundColor Red
    try {
        Start-Service -Name VSS -ErrorAction Stop
        Write-Host "[+] VSS Service started successfully." -ForegroundColor Green
    } catch {
        Write-Host "[!!] Failed to start VSS Service." -ForegroundColor Red
    }
} else {
    Write-Host "[+] VSS Service is running." -ForegroundColor Green
}

# 3. Network Hardening - Block RDP from Internet (Firewall Rule Check)
Write-Host "[!] Checking for open RDP rules..." -ForegroundColor Yellow
$rdpRules = Get-NetFirewallRule | Where-Object { $_.Enabled -eq $true -and $_.Direction -eq "Inbound" -and ($_.DisplayName -like "*Remote Desktop*" -or $_.DisplayGroup -like "*Remote Desktop*") }
if ($rdpRules) {
    Write-Host "[!!] Active RDP Firewall Rules found. Review scope:" -ForegroundColor Red
    $rdpRules | Select-Object DisplayName, Profile, Direction, Action | Format-Table
} else {
    Write-Host "[+] No standard RDP rules found or enabled." -ForegroundColor Green
}

Write-Host "[+] Script complete. Review logs for findings." -ForegroundColor Cyan

Remediation

  1. Patch Immediately (Priority 0): The entry vector for Storm-1175 is unpatched vulnerabilities. Conduct an immediate scan of all internet-facing assets. Prioritize patching any vulnerability tagged as "Exploitation Detected" or "High/Critical" by your vendor or CISA KEV.
  2. Disable Internet-Facing RDP: Ensure RDP (TCP 3389) is not accessible from the internet. Use VPNs with MFA or Zero Trust Network Access (ZTNA) solutions instead.
  3. Implement Strict Segmentation: Medusa relies on lateral movement. Segment your network to limit the ability of the actor to move from an infected web server to critical data storage.
  4. Offline Backups: Verify that backups are immutable and offline. Medusa actively attempts to delete Volume Shadow Copies; ensure you have a recovery pathway that does not rely on VSS.
  5. User Awareness: If the initial access shifts to phishing (a common secondary vector), educate users on identifying suspicious attachments.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsstorm-1175medusa-ransomwarevulnerability-exploitationsoc-mdr

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action