What Happened
Microsoft’s Security Research team published a detailed blog post on April 6, 2026, attributing an accelerating Medusa ransomware campaign to Storm-1175, a China-based cybercriminal threat actor assessed as a ransomware affiliate. The group operates high-velocity intrusions, exploiting vulnerabilities in web-facing systems during the window between public disclosure and widespread patch adoption — and in several cases, before disclosure occurs at all.
Storm-1175 used at least three zero-day vulnerabilities in its recent campaign. CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere Managed File Transfer were both exploited one week before vendors published patches. A third zero-day in a widely used email security platform was also leveraged. These are not opportunistic scans: the group deliberately monitors vulnerability research pipelines and moves faster than defenders.
Once inside a network, Storm-1175 uses Bandizip to stage files and Rclone to exfiltrate data to attacker-controlled cloud infrastructure, then deploys Medusa ransomware. The interval from initial access to ransomware detonation is sometimes less than 24 hours. Confirmed targets include healthcare organisations, educational institutions, professional services firms, and financial sector entities in Australia, the United Kingdom, and the United States. Microsoft Security Blog | The Hacker News
Why This Matters for Canadian Organizations
Canadian healthcare networks run SmarterMail, GoAnywhere MFT, and similar managed file transfer and email infrastructure at significant scale. Provincial health authorities, hospital networks, diagnostic labs, and community health centres rely on the same categories of web-facing platforms that Storm-1175 has systematically targeted. The group’s focus on healthcare is not incidental — healthcare organisations process large volumes of regulated personal health information, face intense pressure to avoid downtime, and have historically shown slower patch cadence for operational systems.
The speed of Storm-1175’s operations, from exploitation to ransomware deployment in under 24 hours, means that relying on manual detection and response processes is insufficient against this threat actor. By the time an analyst reviews a Tuesday morning alert, data exfiltration and ransomware staging are complete in the same intrusion. The group’s use of Rclone and legitimate cloud infrastructure for exfiltration also means that data loss occurs even before ransomware is deployed, making this a dual extortion scenario regardless of backup posture.
Healthcare ransomware in Canada has significant regulatory consequences. Provincial health privacy legislation and federal reporting obligations require notification when patient data is accessed or exfiltrated. The Canadian Centre for Cyber Security has previously flagged managed file transfer platforms and email infrastructure as priority attack surfaces for ransomware actors in the Canadian threat environment.
What to Do
Audit your inventory of internet-accessible managed file transfer platforms, email security appliances, and other web-facing administrative systems. Prioritise patch application within 24 hours of disclosure for products in these categories, given Storm-1175’s documented zero-day exploitation window.
For GoAnywhere MFT: apply CVE-2025-10035 patches immediately if not already done. For SmarterMail: apply CVE-2026-23760 patches immediately. Review both platforms’ access logs for the past 30 days for signs of unauthorized access or unexpected file transfer activity.
Implement network-based detection for Rclone and Bandizip execution on servers that should not be running these tools. Rclone initiating outbound connections to cloud storage endpoints from a file transfer server or email appliance is a strong indicator of active data exfiltration.
Canadian healthcare organisations facing confirmed ransomware incidents should report immediately to the Canadian Centre for Cyber Security at contact@cyber.gc.ca and to their applicable provincial health privacy regulator.
