Fast-Moving Ransomware, Router-Based Espionage Threats Target Education and Small-Office Organizations
A recent report from Microsoft warns about two active cybersecurity threats: a fast-moving ransomware campaign and a Russian espionage operation that abuses small office and home office routers to monitor victims' network traffic.
The company said this week that the Storm-1175 threat group is exploiting recently disclosed vulnerabilities to deploy Medusa ransomware at unusual speed, with some victims seeing encryption within 24 hours of the initial compromise. In a separate campaign, Microsoft said Russian military intelligence-linked group Forest Blizzard has compromised thousands of small office/home office routers to carry out adversary-in-the-middle attacks and collect sensitive traffic from targeted users.
Ransomware at Warp Speed
Storm-1175 has exploited more than 16 vulnerabilities since 2023, targeting everything from Microsoft Exchange servers to file transfer applications like GoAnywhere MFT and CrushFTP.
"Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours," Microsoft Threat Intelligence warned in an April 6 blog post.
The hacker group's primary targets include healthcare organizations, education institutions, professional services firms and financial sector entities across the United states, Australia and the United Kingdom. In some instances, Storm-1175 weaponized zero-day vulnerabilities a full week before public disclosure.
The attack chain follows a predictable pattern: exploit vulnerable web-facing systems, establish persistence through new administrative accounts, deploy remote monitoring and management tools for lateral movement, dump credentials, tamper with security software and finally unleash ransomware across the network using legitimate deployment tools like PDQ Deployer.
Microsoft's analysis revealed Storm-1175's reliance on everything from commodity tools like Mimikatz for credential theft to legitimate RMM platforms including Atera, Level, N-able and ConnectWise ScreenConnect. The group also employs Rclone to exfiltrate data before encryption, enabling double-extortion tactics through Medusa's leak site.
Router Compromise Enables Silent Surveillance
The Forest Blizzard campaign presents a different but equally troubling threat. Since at least August 2025, the Russian military-linked group has been compromising insecure home and small office routers, modifying their DNS settings to redirect traffic through attacker-controlled infrastructure.
"By compromising edge devices that are upstream of larger targets, threat actors can take advantage of less closely monitored or managed assets to pivot into enterprise environments," Microsoft explained in its April 7 post.
The campaign has affected more than 200 organizations and 5,000 consumer devices, according to Microsoft Threat Intelligence, which also identified follow-on adversary-in-the-middle attacks aimed at Transport Layer Security connections to Microsoft Outlook on the web domains. Microsoft said the activity has hit government, IT, telecommunications and energy organizations.
The DNS hijacking technique is particularly potent. Once a router is compromised, all connected devices automatically use the attacker's malicious DNS resolvers through standard DHCP configuration. Forest Blizzard then leverages the dnsmasq utility to intercept DNS queries, allowing passive surveillance of network traffic at scale.
The DNS hijacking method gives attackers broad access once a router is compromised. Devices connected to the router are automatically directed to malicious DNS resolvers through standard DHCP settings, and Forest Blizzard then uses the dnsmasq utility to intercept DNS queries and quietly monitor traffic at scale.
"This activity enables the interception of cloud-hosted content, impacting numerous sectors including government, information technology, telecommunications, and energy — all usual targets for this actor," said Microsoft.
Although most DNS requests appeared to be passed along without disruption, Microsoft said the group selectively spoofed certain domains, allowing it to intercept plaintext traffic, including e-mails and other sensitive data, when victims clicked through invalid TLS certificate warnings.
Defense Recommendations
For Storm-1175, Microsoft is urging organizations to tighten up exposed systems before attackers can move. The company recommends using perimeter-scanning tools such as Defender External Attack Surface Management to find vulnerable Internet-facing assets, enforcing least-privilege access so intruders have fewer options if they get in, and applying attack surface reduction rules to block common ransomware behavior.
To defend against Forest Blizzard's router-based activity, Microsoft says organizations should use domain-based network access controls such as Zero Trust DNS on Windows endpoints and keep consumer-grade routers out of business environments. The company also pointed to phishing-resistant multifactor authentication and continuous access evaluation as important safeguards against credential theft.
"It's important for organizations to account for unmanaged SOHO devices — particularly those used by remote and hybrid employees — since compromised home and small-office network infrastructure can expose cloud access and sensitive data even when enterprise environments and cloud services themselves remain secure," the Forest Blizzard advisory said.
For more information, read the Microsoft blog.