Microsoft warns {that a} risk actor tracked as Storm-0501 has developed its operations, shifting away from encrypting units with ransomware to specializing in cloud-based encryption, knowledge theft, and extortion.
The hackers now abuse native cloud options to exfiltrate knowledge, wipe backups, and destroy storage accounts, thereby making use of stress and extorting victims with out deploying conventional ransomware encryption instruments.
Storm-0501 is a risk actor who has been lively since at the least 2021, deploying the Sabbath ransomware in assaults in opposition to organizations worldwide. Over time, the risk actor joined varied ransomware-as-a-service (RaaS) platforms, the place they used encryptors from Hive, BlackCat (ALPHV), Hunters Worldwide, LockBit, and, extra not too long ago, Embargo ransomware.
In September 2024, Microsoft detailed how Storm-0501 prolonged its operations into hybrid cloud environments, pivoting from compromising Lively Listing to Entra ID tenants. Throughout these assaults, the risk actors both created persistent backdoors by means of malicious federated domains or encrypted on-premises units utilizing ransomware, similar to Embargo.
A brand new report by Microsoft immediately outlines a shift in ways, with Storm-0501 not counting on on-premises encryption and as an alternative conducting assaults purely within the cloud.
“Not like conventional on-premises ransomware, the place the risk actor usually deploys malware to encrypt essential recordsdata throughout endpoints throughout the compromised community after which negotiates for a decryption key, cloud-based ransomware introduces a elementary shift,” reads the report by Microsoft Menace Intelligence.
“Leveraging cloud-native capabilities, Storm-0501 quickly exfiltrates massive volumes of knowledge, destroys knowledge and backups throughout the sufferer surroundings, and calls for ransom—all with out counting on conventional malware deployment.”
Cloud-based ransomware assaults
In latest assaults noticed by Microsoft, the hackers compromised a number of Lively Listing domains and Entra tenants by exploiting gaps in Microsoft Defender deployments.
Storm-0501 then used stolen Listing Synchronization Accounts (DSAs) to enumerate customers, roles, and Azure assets with instruments similar to AzureHound. The attackers ultimately found a International Administrator account that lacked multifactor authentication, permitting them to reset its password and achieve full administrative management.
With these privileges, they established persistence by including malicious federated domains underneath their management, enabling them to impersonate nearly any person and bypass MFA protections within the area.
Microsoft says they escalated their entry additional into Azure by abusing the Microsoft.Authorization/elevateAccess/motion, which allowed them to in the end assign themselves to Proprietor roles, successfully taking on the sufferer’s complete Azure surroundings.
Supply: Microsoft
As soon as in charge of the cloud surroundings, Storm-0501 started disabling defenses and stealing delicate knowledge from Azure Storage accounts. The risk actors additionally tried to destroy storage snapshots, restore factors, Restoration Companies vaults, and storage accounts to stop the goal from recovering knowledge without cost.
When the risk actor could not delete knowledge from restoration companies, they utilized cloud-based encryption by creating new Key Vaults and customer-managed keys, successfully encrypting the information with new keys and making it inaccessible to the corporate except they pay a ransom.
After stealing knowledge, destroying backups, or encrypting cloud knowledge, Storm-0501 moved to the extortion section, contacting victims by means of Microsoft Groups utilizing compromised accounts to ship ransom calls for.
Microsoft’s report shares safety recommendation, Microsoft Defender XDR detections, and looking queries that may assist discover and detect the ways utilized by this risk actor.
As ransomware encryptors are more and more blocked earlier than they will encrypt units, we might even see different risk actors shift away from on-premise encryption to cloud-based knowledge theft and encryption, which can be tougher to detect and block.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
