Microsoft warns {that a} menace actor tracked as Storm-0501 has advanced its operations, shifting away from encrypting gadgets with ransomware to specializing in cloud-based encryption, knowledge theft, and extortion.
The hackers now abuse native cloud options to exfiltrate knowledge, wipe backups, and destroy storage accounts, thereby making use of stress and extorting victims with out deploying conventional ransomware encryption instruments.
Storm-0501 is a menace actor who has been lively since no less than 2021, deploying the Sabbath ransomware in assaults towards organizations worldwide. Over time, the menace actor joined numerous ransomware-as-a-service (RaaS) platforms, the place they used encryptors from Hive, BlackCat (ALPHV), Hunters Worldwide, LockBit, and, extra just lately, Embargo ransomware.
In September 2024, Microsoft detailed how Storm-0501 prolonged its operations into hybrid cloud environments, pivoting from compromising Lively Listing to Entra ID tenants. Throughout these assaults, the menace actors both created persistent backdoors via malicious federated domains or encrypted on-premises gadgets utilizing ransomware, akin to Embargo.
A brand new report by Microsoft right this moment outlines a shift in techniques, with Storm-0501 now not counting on on-premises encryption and as a substitute conducting assaults purely within the cloud.
“Not like conventional on-premises ransomware, the place the menace actor usually deploys malware to encrypt vital recordsdata throughout endpoints throughout the compromised community after which negotiates for a decryption key, cloud-based ransomware introduces a elementary shift,” reads the report by Microsoft Risk Intelligence.
“Leveraging cloud-native capabilities, Storm-0501 quickly exfiltrates massive volumes of knowledge, destroys knowledge and backups throughout the sufferer atmosphere, and calls for ransom—all with out counting on conventional malware deployment.”
Cloud-based ransomware assaults
In latest assaults noticed by Microsoft, the hackers compromised a number of Lively Listing domains and Entra tenants by exploiting gaps in Microsoft Defender deployments.
Storm-0501 then used stolen Listing Synchronization Accounts (DSAs) to enumerate customers, roles, and Azure assets with instruments akin to AzureHound. The attackers ultimately found a International Administrator account that lacked multifactor authentication, permitting them to reset its password and achieve full administrative management.
With these privileges, they established persistence by including malicious federated domains beneath their management, enabling them to impersonate virtually any person and bypass MFA protections within the area.
Microsoft says they escalated their entry additional into Azure by abusing the Microsoft.Authorization/elevateAccess/motion, which allowed them to finally assign themselves to Proprietor roles, successfully taking on the sufferer’s whole Azure atmosphere.
Supply: Microsoft
As soon as in command of the cloud atmosphere, Storm-0501 started disabling defenses and stealing delicate knowledge from Azure Storage accounts. The menace actors additionally tried to destroy storage snapshots, restore factors, Restoration Providers vaults, and storage accounts to forestall the goal from recovering knowledge free of charge.
When the menace actor could not delete knowledge from restoration providers, they utilized cloud-based encryption by creating new Key Vaults and customer-managed keys, successfully encrypting the info with new keys and making it inaccessible to the corporate except they pay a ransom.
After stealing knowledge, destroying backups, or encrypting cloud knowledge, Storm-0501 moved to the extortion part, contacting victims via Microsoft Groups utilizing compromised accounts to ship ransom calls for.
Microsoft’s report shares safety recommendation, Microsoft Defender XDR detections, and searching queries that may assist discover and detect the techniques utilized by this menace actor.
As ransomware encryptors are more and more blocked earlier than they will encrypt gadgets, we may even see different menace actors shift away from on-premise encryption to cloud-based knowledge theft and encryption, which can be more durable to detect and block.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.
