Storm-1175 Ramps Up Ransomware Attacks Exploiting GoAnywhere MFT Flaw

Storm-1175 Exploits Critical GoAnywhere MFT Flaw in Major Ransomware Campaigns

A cybercrime group tracked as Storm-1175 is leveraging a maximum severity vulnerability in GoAnywhere MFT, a widely used managed file transfer solution, to orchestrate sophisticated ransomware attacks across Europe. The flaw, designated CVE-2025-10035, enables attackers to remotely compromise unpatched systems with no authentication required—making it especially dangerous for organizations with exposed servers.

Discovered in early September and patched by Fortra on September 18, 2025, the vulnerability stems from a deserialization weakness in the platform’s License Servlet. Security researchers observed exploitation activity as early as September 10, indicating attackers had a significant window to compromise targets before public disclosure. Despite the availability of a patch, more than 500 vulnerable instances remain exposed online, fueling widespread anxiety among IT and security professionals.

How Storm-1175 Executes Its Ransomware Attacks

According to CyberScoop, Storm-1175 gained initial access by exploiting CVE-2025-10035, then quickly established persistence using remote monitoring tools such as SimpleHelp and MeshAgent. The attackers conducted reconnaissance, moved laterally across networks with built-in Windows utilities, exfiltrated sensitive data using Rclone, and ultimately deployed the Medusa ransomware to extort victims.

“Storm-1175’s attacks are opportunistic and have affected organizations in the transportation, education, retail, insurance, and manufacturing sectors. Their tactics reflect a broader pattern: blending legitimate tools with stealthy techniques to monetize access through extortion and data theft.”
— Sherrod DeGrippo, Microsoft Threat Intelligence Strategy

Security experts have stressed that the group’s methods—using legitimate administrative tools to evade detection—make it harder for organizations to spot and stop attacks in progress. The Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2025-10035 to its known exploited vulnerabilities catalog, confirming its use in active ransomware campaigns.

Patch Urgency and Industry Response

Both The Hacker News and Integrity360 report heightened concern within the IT and cybersecurity communities. Researchers are alarmed by the speed at which Storm-1175 weaponized the flaw and the persistence of unpatched systems weeks after the patch release. Microsoft and Fortra have issued urgent advisories, urging all organizations running GoAnywhere MFT to update immediately and review system logs for any signs of compromise.

Ben Harris, CEO of cybersecurity firm watchTowr, emphasized the need for transparency and rapid action:

“Organizations running GoAnywhere MFT have effectively been under silent assault since at least September 11, with little clarity from Fortra.”

Regional Impact and Ongoing Risks

The majority of reported attacks and public concern have so far centered on Europe, as regional outlets continue to provide the most comprehensive coverage of the Storm-1175 ransomware campaigns. Security researchers warn that as long as hundreds of GoAnywhere MFT instances remain exposed, the risk of further ransomware incidents remains high.

With active exploitation confirmed by both Microsoft and federal cyber authorities, immediate action is critical. Organizations are strongly advised to apply the latest GoAnywhere MFT patches, monitor for suspicious access, and strengthen incident response capabilities to mitigate the ongoing threat from Storm-1175 and similar ransomware groups.

Sources

• CyberScoop: Microsoft pins GoAnywhere zero-day attacks to ransomware affiliate Storm-1175
• The Hacker News: Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware
• Integrity360: Cyber News Roundup – October 10 2025