5 MSP Takeaways from Microsoft’s Storm-1175 Medusa Ransomware Warning

When Microsoft publicly attributes a ransomware operation to a known threat actor, MSPs should take note. The company recently linked Storm-1175, a cybercriminal group known for deploying Medusa ransomware, to exploitation of a critical flaw in Fortra’s GoAnywhere MFT software (CVE-2025-10035).

The vulnerability carries a CVSS score of 10.0 and enables unauthenticated remote code execution. Exploitation activity began in early September 2025—before many organizations had patched to version 7.8.4—giving threat actors a dangerous head start.

For MSPs, this event highlights key actions to protect both internal operations and client environments.

1. Treat Patch Management as a Continuous Discipline

Storm-1175’s success came largely from unpatched systems. MSPs must enforce non-negotiable patch timelines for all managed clients, especially for critical vulnerabilities in internet-facing applications. Automate vulnerability scanning and verify patch deployment rather than assuming completion. Even a week’s delay can create a window for compromise.

2. Secure and Monitor Your RMM Infrastructure

The attackers weaponized legitimate remote monitoring and management (RMM) tools—SimpleHelp and MeshAgent—to persist in networks. For MSPs, this is a critical wake-up call. Enable MFA on all RMM accounts, maintain strict role-based permissions, and routinely audit for unauthorized installations. Treat your RMM environment as part of your clients’ security perimeter, not outside of it.

3. Expand Detection Across Endpoints and Networks

Once inside, Storm-1175 used mstsc.exe (Remote Desktop Connection) for lateral movement and Rclone for exfiltration through a Cloudflare tunnel. MSPs should deploy EDR/XDR platforms capable of spotting abnormal RDP activity, unusual data transfers, or suspicious .jsp file creation. Enhanced visibility shortens the dwell time that ransomware groups rely on.

4. Demand Accountability and Communication from Vendors

Microsoft’s findings revealed that GoAnywhere users were compromised long before detailed guidance was shared. Security researchers, including watchTowr CEO Benjamin Harris, criticized the lack of communication, saying customers were “left in the dark.” MSPs should insist on transparency clauses in vendor contracts, requiring timely notifications and mitigation details during active exploits.

5. Reinforce Client Education and Data Resilience

The final stage of the Storm-1175 campaign involved deploying Medusa ransomware, encrypting systems, and stealing data. MSPs must help clients understand that backups, MFA, and endpoint segmentation are not optional—they are survival strategies. Conduct quarterly ransomware simulations and ensure backup immutability. When users know the “why,” they become your strongest security ally.

The Storm-1175 exploit shows how quickly attackers weaponize trusted tools and exploit vendor silence. MSPs can’t control when vendors disclose vulnerabilities—but they can control how fast they patch, how well they monitor, and how effectively they educate clients. In cybersecurity, speed and transparency aren’t just best practices—they’re competitive advantages.