China's Ransomware Groups Are Using Zero-Days Now. That Changes the Math.

John Z Black Apr 7, 2026 Ransomware & Cybercrime #storm-1175 #medusa #qilin #china #zero-day #edr #ransomware

The old rule was simple: China spies, Russia ransoms. Microsoft just broke that model.

Storm-1175, a China-based financially motivated group, is deploying Medusa ransomware using actual zero-day exploits, hitting targets a full week before public disclosure. Microsoft confirmed at least three zero-days in the campaign. That’s not a criminal gang buying exploit kits off a forum. That’s government-grade offensive capability pointed at ransomware targets.

The speed is alarming too. Initial access to full Medusa deployment in under 24 hours. Healthcare, education, financial institutions across the US, UK, and Australia.

Meanwhile, the Qilin ransomware group is solving a different problem: your EDR. Cisco Talos documented a new technique where Qilin sideloads a malicious DLL through a legitimate Windows process with one job: kill the endpoint detection before the ransomware runs. By the time anyone checks the console, encryption is done.

Two different groups, same conclusion. The safety nets defenders rely on are fraying. Storm-1175 removes the “patch quickly and you’re fine” assumption. Qilin removes the “EDR will catch it” assumption. Put them together and the standard playbook has some serious holes.

The uncomfortable question: are zero-day exploits being shared or handed down within China’s state-criminal ecosystem the way they are in Russia’s? Microsoft’s attribution doesn’t answer that directly. But the gap between a typical ransomware affiliate and a group wielding multiple zero-days is enormous, and something is bridging it.

If you run SmarterMail or GoAnywhere MFT, patch now. Beyond that, ask yourself whether your security posture holds if both assumptions fail at once: no patch available and EDR disabled.

Read the full analysis on Storm-1175, Qilin, and why ransomware defense just got harder