Fast-Moving Ransomware, Router-Based Espionage Threats Target Education and Small-Office Organizations
A recent report from Microsoft warns about two active cybersecurity threats: a fast-moving ransomware campaign and a Russian espionage operation that abuses small office and home office routers to monitor victims’ network traffic.
The company said this week that the Storm-1175 threat group is exploiting recently disclosed vulnerabilities to deploy Medusa ransomware at unusual speed, with some victims seeing encryption within 24 hours of the initial compromise. In a separate campaign, Microsoft said Russian military intelligence-linked group Forest Blizzard has compromised thousands of small office/home office routers to carry out adversary-in-the-middle attacks and collect sensitive traffic from targeted users.
Ransomware at Warp Speed
Storm-1175 has exploited more than 16 vulnerabilities since 2023, targeting everything from Microsoft Exchange servers to file transfer applications like GoAnywhere MFT and CrushFTP.
“Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours,” Microsoft Threat Intelligence warned in an April 6 blog post.
The hacker group’s primary targets include healthcare organizations, education institutions, professional services firms and financial sector entities across the United states, Australia and the United Kingdom. In some instances, Storm-1175 weaponized zero-day vulnerabilities a full week before public disclosure.
The attack chain follows a predictable pattern: exploit vulnerable web-facing systems, establish persistence through new administrative accounts, deploy remote monitoring and management tools for lateral movement, dump credentials, tamper with security software and finally unleash ransomware across the network using legitimate deployment tools like PDQ Deployer.
Microsoft’s analysis revealed Storm-1175’s reliance on everything from commodity tools like Mimikatz for credential theft to legitimate RMM platforms including Atera, Level, N-able and ConnectWise ScreenConnect. The group also employs Rclone to exfiltrate data before encryption, enabling double-extortion tactics through Medusa’s leak site.
Router Compromise Enables Silent Surveillance
The Forest Blizzard campaign presents a different but equally troubling threat. Since at least August 2025, the Russian military-linked group has been compromising insecure home and small office routers, modifying their DNS settings to redirect traffic through attacker-controlled infrastructure.
“By compromising edge devices that are upstream of larger targets, threat actors can take advantage of less closely monitored or managed assets to pivot into enterprise environments,” Microsoft explained in its April 7 post.
The campaign has affected more than 200 organizations and 5,000 consumer devices, according to Microsoft Threat Intelligence, which also identified follow-on adversary-in-the-middle attacks aimed at Transport Layer Security connections to Microsoft Outlook on the web domains. Microsoft said the activity has hit government, IT, telecommunications and energy organizations.
Source link
#FastMoving #Ransomware #RouterBased #Espionage #Threats #Target #Education #SmallOffice #Organizations #Campus #Technology
