BianLian and Rhysida Use Azure for Ransomware Attacks
Security experts from modePUSH recently uncovered that ransomware groups such as BianLian and Rhysida are actively using tools like Microsoft Azure Storage Explorer and AzCopy to exfiltrate data from compromised networks and store it in Azure Blob cloud storage.
Storage Explorer is a graphical management tool for Azure, while AzCopy is a command-line utility for large-scale data transfers to the cloud. Using these tools, criminals upload stolen data to an Azure Blob container, from which it can be easily transferred to other storage locations.
modePUSH specialists noted that in order to work with Azure Storage Explorer, attackers must install additional dependencies and upgrade .NET to version 8. This highlights the growing emphasis on data theft in ransomware operations, where stolen information becomes the primary leverage in the subsequent extortion phase.
While each ransomware group employs its own tools for data exfiltration, Azure is particularly attractive to cybercriminals due to its reputation as an enterprise service. Since it is widely used by many companies, its traffic is less likely to be blocked by corporate firewalls and security systems, significantly easing the data transfer process.
Additionally, Azure’s scalability and performance are highly advantageous, especially when there is a need to swiftly transfer large volumes of files. modePUSH experts also observed that criminals utilize multiple instances of Azure Storage Explorer simultaneously to expedite the upload of data to the Blob container.
Researchers discovered that when using AzCopy and Storage Explorer, attackers enable the default logging level “Info,” which records operation details in a log file. This file can assist incident response experts in quickly determining what data was stolen and which files may have been uploaded to the victims’ devices.
To protect against such threats, it is recommended to monitor AzCopy execution, track outbound traffic to Azure Blob Storage endpoints, and set up alerts for unusual activities involving file copying or access on key servers. Organizations already using Azure should enable the automatic logout option after closing the application to prevent attackers from exploiting active sessions for data theft.
