Storm-1175 Deploys Medusa Ransomware in 24 Hours Using Zero-Days in GoAnywhere and SmarterMail

Microsoft Threat Intelligence published a detailed analysis on April 6, 2026 exposing Storm-1175, a China-linked financially motivated threat actor, weaponizing zero-day vulnerabilities in GoAnywhere Managed File Transfer and SmarterMail to deploy Medusa ransomware — in some cases completing the full attack chain from initial access to encryption in under 24 hours. For Saudi financial institutions that depend on GoAnywhere MFT to fulfill SAMA-mandated secure file transfer requirements, this is not a theoretical risk.

Who Is Storm-1175 and Why They Move So Fast

Storm-1175 is a financially motivated cybercriminal group that operates as a high-volume affiliate of the Medusa Ransomware-as-a-Service (RaaS) operation, tracked separately as Spearwing. Unlike traditional ransomware actors that spend weeks performing reconnaissance, Storm-1175 follows a deliberate high-tempo playbook: identify an unpatched public-facing application, exploit it before the vendor issues a patch, and compress the time from initial access to ransom demand to under 24 hours. Microsoft's April 2026 report documents this actor exploiting two zero-days — CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere MFT — a full week before each vulnerability was publicly disclosed. This is not opportunistic scanning; it is structured intelligence-driven targeting.

The CVEs: What Was Exploited and How

CVE-2025-10035 is a critical deserialization vulnerability in GoAnywhere MFT's License Servlet carrying a CVSS score of 10.0 — the highest possible severity rating. An attacker who can forge a valid license response signature can deserialize an arbitrary actor-controlled object, leading to command injection and full remote code execution on the underlying server. GoAnywhere MFT is deployed widely across the financial sector, including in Saudi Arabia, precisely because it provides encrypted, auditable file transfer channels required under SAMA CSCC Domain 3 (Third-Party and Cloud Security) and PCI-DSS Requirement 4 (Protect Cardholder Data in Transit). CVE-2026-23760, the second zero-day, is an authentication bypass in SmarterTools' SmarterMail email and collaboration server. Once inside via either vector, Storm-1175 drops SimpleHelp and MeshAgent — two legitimate remote monitoring and management (RMM) tools — to establish persistent command-and-control that blends with normal IT traffic and evades signature-based detection. Medusa ransomware is then staged and executed, with file exfiltration preceding encryption to enable double-extortion.

The 24-Hour Kill Chain

What distinguishes Storm-1175 from typical ransomware affiliates is the compressed dwell time. Microsoft documented intrusions where the full sequence — initial exploitation of GoAnywhere MFT, lateral movement via RMM tool abuse, credential harvesting from Active Directory, bulk data exfiltration, and Medusa ransomware deployment — was completed within a single business day. This timeline makes traditional Tier-2 SOC escalation processes inadequate. By the time an analyst reviews a ticket opened on an anomalous GoAnywhere process, the encryption event has likely already occurred. The actor's ability to weaponize zero-days before public disclosure compounds the problem: standard patch management cycles, even accelerated ones targeting critical-severity CVEs, offer no protection against exploitation that precedes the patch release date.

Impact on Saudi Financial Institutions

GoAnywhere MFT is a commonly deployed solution in Saudi banks, insurance companies, and payment processors — precisely the entities subject to SAMA CSCC and NCA ECC mandatory controls. A successful ransomware event against a SAMA-regulated institution triggers multiple simultaneous obligations: incident reporting to SAMA within the timelines specified in the CSCC (Domain 6, Cybersecurity Resilience), notification obligations under the Personal Data Protection Law (PDPL) if personal data is exfiltrated during the double-extortion phase, and potential PCI-DSS breach notification if cardholder data transits the compromised MFT environment. Beyond compliance, operational disruption to file transfer infrastructure can freeze inter-bank settlement workflows, SWIFT messaging integrations, and regulatory reporting pipelines — consequences that compound hourly. The sector's increasing reliance on MFT platforms to satisfy SAMA's secure data transfer mandates creates a structural vulnerability: the very tools required for compliance become high-value ransomware entry points.

Recommendations and Practical Steps

1. Emergency patching for GoAnywhere MFT and SmarterMail: Apply the patches addressing CVE-2025-10035 and CVE-2026-23760 immediately. If patching cannot be completed within 24 hours, take the affected systems offline or restrict access to trusted IP ranges only. SAMA CSCC Domain 2 (Cybersecurity Risk Management) requires compensating controls when critical vulnerabilities cannot be immediately remediated.
2. Hunt for SimpleHelp and MeshAgent artifacts: If these RMM tools are not part of your approved software inventory, their presence is a strong indicator of compromise. Search EDR telemetry, Windows Event Logs (Event IDs 7045, 4688), and network flow data for binaries associated with SimpleHelp and MeshAgent executed outside normal IT hours or from unexpected parent processes.
3. Harden GoAnywhere MFT configurations: Disable the License Servlet endpoint at the network layer if it does not serve a business function. Implement allowlisting on the GoAnywhere admin console and API interfaces. Review service accounts for excessive privileges — principle of least privilege is a baseline NCA ECC control (ECC-2-1-3).
4. Accelerate threat detection with behavioral rules: Deploy SIEM detection rules specifically for RMM tool installation events, mass file enumeration patterns typical of pre-encryption staging, and unusual outbound data volumes from MFT servers. SAMA CSCC Domain 5 (Cybersecurity Operations and Technology) mandates continuous monitoring — this is exactly the scenario it was designed to catch.
5. Test ransomware recovery playbooks now: Tabletop exercises should include a scenario where a GoAnywhere or SmarterMail server is fully compromised within a 24-hour window. Validate that offline backups exist, that recovery time objectives (RTOs) are achievable, and that incident escalation to SAMA and the NCA's National Cybersecurity Operations Center (NCOC) can be executed under the time pressure of an active ransomware event.
6. Review third-party MFT exposure: Identify all external partners and vendors with inbound or outbound GoAnywhere connections. Under SAMA CSCC Domain 3, third-party access to regulated data environments must be governed — a compromised vendor GoAnywhere instance is a potential pivot point into your network.

Conclusion

Storm-1175's abuse of zero-days in GoAnywhere MFT and SmarterMail — combined with a 24-hour attack-to-encryption timeline — represents a maturation of the ransomware threat that Saudi financial institutions cannot afford to underestimate. The attack surface here is not exotic: it is the same secure file transfer infrastructure that compliance requirements demanded you deploy. The answer is not to remove these platforms but to layer them with the runtime monitoring, access controls, and incident response capabilities that SAMA CSCC and NCA ECC already mandate — and to ensure those controls are validated, not just documented.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a dedicated review of your MFT security posture against the Storm-1175 threat model.