Back to Intelligence

Storm-1175 High-Velocity Campaigns: Defending Against Medusa Ransomware and N-Day Exploitation

SA
Security Arsenal Team
April 10, 2026
6 min read

Microsoft has issued a critical warning regarding the financially motivated threat actor Storm-1175, known for deploying Medusa ransomware through aggressive "high-velocity" campaigns. Unlike traditional actors who wait for zero-days, Storm-1175 focuses on the rapid exploitation of n-day vulnerabilities—flaws for which patches exist but have not yet been applied—and unpatched systems in enterprise environments.

The "high velocity" designation refers to the speed with which this weaponizes newly disclosed vulnerabilities. Defenders have a shrinking window between patch release and weaponization. This group actively targets internet-facing infrastructure, making speed in detection and patching the primary defense against encryption and data extortion.

Technical Analysis

Affected Products and Platforms

  • Primary Targets: Internet-facing edge devices and web applications, including Citrix ADC/Gateway, VPN appliances, and file-sharing servers.
  • Infrastructure: Storm-1175 abuses legitimate infrastructure, including Microsoft Azure and Cloudflare Tunnels, to obfuscate command-and-control (C2) traffic, making network-based detection difficult.
  • Payloads: The campaign culminates in the deployment of MedusaLocker, a robust ransomware variant known for double-extortion tactics.

Vulnerabilities and Exploitation Status

While the campaign adapts to various vulnerabilities, it heavily relies on n-day exploits. Specific technical indicators highlight the exploitation of:

  • Exploitation Status: Confirmed Active Exploitation (In-the-Wild).
  • Common Targets: Unpatched CVEs in edge devices (e.g., Citrix, Fortinet) that provide external remote access.

Attack Chain

  1. Initial Access: Exploitation of unpatched internet-facing services (n-day vulnerabilities) or valid accounts obtained via phishing.
  2. Execution & Persistence: Deployment of SystemBC (a malware-based proxy/socks5 tool) and Cobalt Strike Beacons. Notably, SystemBC is often masqueraded as msupdate.exe to mimic Windows Update processes.
  3. Lateral Movement: Abuse of legitimate remote management tools, specifically ScreenConnect (ConnectWise) and AnyDesk, to move laterally through the network.
  4. Impact: Execution of Medusa ransomware to encrypt files and exfiltrate data for extortion.

Detection & Response

Sigma Rules

The following Sigma rules detect the masquerading of SystemBC (msupdate.exe) and the suspicious usage of ScreenConnect by Storm-1175.

YAML
---
title: Storm-1175 SystemBC Masquerading as Windows Update
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects Storm-1175 masquerading SystemBC proxy as 'msupdate.exe' running from non-system paths, a common TTP for this actor.
references:
  - https://www.microsoft.com/en-us/security/blog/
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.defense_evasion
  - attack.t1036.005
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\msupdate.exe'
  filter:
    Image|startswith: 'C:\Windows\System32\'
  condition: selection and not filter
falsepositives:
  - None (Legitimate Windows Update runs from System32)
level: critical
---
title: Suspicious ScreenConnect Client Execution
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects the execution of ScreenConnect client (ConnectWise Control) from a suspicious user profile path or unusual parent process, indicative of Storm-1175 lateral movement.
references:
  - https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.command_and_control
  - attack.t1219
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains: '\ScreenConnect\'
    Image|endswith: '\ClientService.exe'
  filter_legit_path:
    Image|startswith: 'C:\Program Files\' 
  condition: selection and not filter_legit_path
falsepositives:
  - Legitimate administrative use of portable ScreenConnect clients
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for the characteristic process execution patterns of Storm-1175, specifically focusing on msupdate.exe execution and suspicious PowerShell arguments often used to deploy payloads.

KQL — Microsoft Sentinel / Defender
// Hunt for Storm-1175 TTPs: msupdate.exe masquerading and suspicious PS execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ((FileName =~ "msupdate.exe" and FolderPath !contains @"System32") or 
        (ProcessCommandLine contains "SystemBC" or 
         ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}" and ProcessCommandLine contains "-enc"))
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for the presence of msupdate.exe outside of system directories and checks for common persistence mechanisms associated with Medusa ransomware.

VQL — Velociraptor
-- Hunt for Storm-1175 indicators: msupdate.exe and ScreenConnect artifacts
SELECT
  FullPath,
  Size,
  ModTime,
  Mtime AS ModifiedTime
FROM glob(globs="\\Users\\**\\msupdate.exe")

UNION ALL

SELECT
  FullPath,
  Size,
  ModTime,
  Mtime AS ModifiedTime
FROM glob(globs="C:\\ProgramData\\*.exe")
WHERE FileName =~ "ScreenConnect" OR FileName =~ "ClientService"

Remediation Script (PowerShell)

This script assists in identifying and terminating suspicious instances of the masqueraded msupdate.exe payload and checks for common unauthorized remote management tools.

PowerShell
# Remediation Script for Storm-1175 / Medusa Indicators
# Requires Administrator Privileges

Write-Host "[+] Scanning for suspicious msupdate.exe processes (Storm-1175 TTP)..."

# Find processes named msupdate.exe NOT running from System32
$suspiciousProcs = Get-WmiObject Win32_Process | Where-Object { 
    $_.Name -eq 'msupdate.exe' -and 
    $_.ExecutablePath -notlike '*\System32\*'
}

if ($suspiciousProcs) {
    foreach ($proc in $suspiciousProcs) {
        Write-Host "[!] FOUND Suspicious Process: PID $($proc.Handle), Path $($proc.ExecutablePath)"
        try {
            Stop-Process -Id $proc.Handle -Force
            Write-Host "[+] Process Terminated."
            # Remove the file
            if (Test-Path $proc.ExecutablePath) {
                Remove-Item $proc.ExecutablePath -Force
                Write-Host "[+] File Removed: $($proc.ExecutablePath)"
            }
        } catch {
            Write-Host "[-] Error terminating process or removing file: $_"
        }
    }
} else {
    Write-Host "[-] No suspicious msupdate.exe processes found."
}

# Check for unauthorized ScreenConnect in user directories
Write-Host "[+] Scanning for unauthorized ScreenConnect clients..."
$paths = @("C:\Users\*", "C:\ProgramData")
$foundSc = @()

foreach ($path in $paths) {
    $found = Get-ChildItem -Path $path -Filter "ClientService.exe" -Recurse -ErrorAction SilentlyContinue | 
             Where-Object { $_.DirectoryName -notlike "*Program Files*" }
    if ($found) { $foundSc += $found }
}

if ($foundSc) {
    Write-Host "[!] WARNING: Potential unauthorized ScreenConnect found:"
    $foundSc | Select-Object FullName, LastWriteTime
} else {
    Write-Host "[-] No unauthorized ScreenConnect clients found."
}

Remediation

To mitigate the "High Velocity" threat posed by Storm-1175 and Medusa ransomware, immediate action is required across vulnerability management and network hygiene.

  1. Patch Edge Devices Immediately:

    • Inventory all internet-facing assets (VPNs, Citrix ADCs, Web Servers).
    • Apply patches for known n-day vulnerabilities immediately. Do not wait for standard maintenance windows.
    • Specific Focus: Ensure Citrix ADC/Gateway devices are patched against the latest critical vulnerabilities (e.g., CVE-2023-3519 and subsequent bugs).

  2. Restrict Remote Management Tools:

    • Enforce strict allow-listing for remote monitoring and management (RMM) software like ScreenConnect and AnyDesk. Block execution from user profile directories (%APPDATA%, %TEMP%).
    • Audit logs for RMM tool usage outside of business hours.

  3. Network Segmentation and EDR:

    • Ensure EDR coverage extends to edge devices and servers, which are often the entry point.
    • Segment critical servers from user workstations to limit the spread of ransomware via lateral movement tools like SystemBC and Cobalt Strike.

  4. Credential Hygiene:

    • Reset credentials for accounts used on internet-facing devices, assuming they may have been compromised during the initial access phase.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsstorm-1175medusa-ransomwaresoc-mdrvulnerability-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action