Rapid ransomware attacks spike

Ransomware used to look like a bank robbery planned over days. Microsoft now says one crew it tracks can break in through an exposed internet-facing system, steal data, and drop Medusa ransomware in less than 24 hours. (microsoft.com) The trick is speed. Instead of waiting for one perfect secret flaw, attackers are chaining several software bugs together so each one opens the next door. (microsoft.com) A software vulnerability is just a mistake in code that can be abused. A zero-day is the version defenders have had zero days to patch, while an n-day is a bug that is already public but still unpatched on real networks. (microsoft.com) Microsoft says the group it calls Storm-1175 has leaned on that second category: recently disclosed flaws in web-facing products, hit during the gap between public disclosure and actual patching. That gap is now the whole battlefield. (microsoft.com) The group is tied to Medusa, a ransomware operation that locks files and pressures victims by stealing data first. Microsoft says Storm-1175 has exploited more than 16 vulnerabilities since 2023, including flaws in products from PaperCut, Ivanti, ConnectWise, JetBrains, SimpleHelp, CrushFTP, GoAnywhere, SmarterMail, and BeyondTrust. (microsoft.com) (thehackernews.com) Microsoft describes Storm-1175 as financially motivated, not a state espionage team. The targets it highlights are practical ones: healthcare, education, professional services, and finance, with victims observed in the United States, the United Kingdom, and Australia. (microsoft.com) (bleepingcomputer.com) Researchers say the pace is what changed. Cybernews, summarizing Microsoft’s report on April 8, said attackers are compressing the full kill chain from initial access to ransomware deployment from days into hours. (cybernews.com) (microsoft.com) That matters most for companies running operational technology, where a laptop problem can become a warehouse problem. If the same network touches scanners, conveyor controls, shipping software, or inventory systems, a fast ransomware hit can freeze physical movement, not just office files. (crowdstrike.com) CrowdStrike has been warning that artificial intelligence is speeding this up from the attacker side too. In its 2026 Global Threat Report, the company said artificial intelligence enabled attacks surged 89% and average breakout time fell to 29 minutes. (crowdstrike.com) A breakout time is the stretch between the first compromised machine and the attacker reaching other systems. When that number drops under half an hour, patching once a month starts to look like locking your door after the movers have emptied the house. (crowdstrike.com) (microsoft.com) Microsoft’s advice is not exotic. It says to patch internet-facing systems fast, reduce exposure of remote management tools, use multi-factor authentication, segment networks, and watch for data theft before encryption starts. (microsoft.com) The old model was “find the breach, then clean up.” The new model is “assume the first vulnerable server is a lit fuse,” because crews like Storm-1175 are building attacks around the few hours between a flaw becoming known and a company getting around to fixing it. (microsoft.com) (infosecurity-magazine.com)