Do Son 
Overview of Storm-0501 cloud-based ransomware attack chain | Image: Microsoft
Microsoft Threat Intelligence has published new research into Storm-0501, a financially motivated threat actor that has dramatically shifted its ransomware operations from traditional on-premises attacks to cloud-native campaigns. The report warns that Storm-0501 is “continuously evolving their campaigns to achieve sharpened focus on cloud-based tactics, techniques, and procedures (TTPs).”
Historically known for targeting hybrid environments, Storm-0501 has moved beyond traditional endpoint encryption to embrace the scale and speed of cloud-native tools. As Microsoft explains, “Unlike traditional on-premises ransomware… cloud-based ransomware introduces a fundamental shift. Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom—all without relying on traditional malware deployment.”
This pivot was first observed in 2021, when Storm-0501 deployed Sabbath ransomware against U.S. school districts, and later in 2023 targeted the healthcare sector. In 2024, the group weaponized Embargo ransomware in several high-profile campaigns.
In its latest investigation, Microsoft traced Storm-0501’s attack chain across a multi-subsidiary enterprise with complex Active Directory and Azure environments.
- On-Premises Foothold: Storm-0501 gained domain admin rights and abused tools like Evil-WinRM for lateral movement. They also executed a DCSync attack to extract password hashes without detection .
- Pivot to the Cloud: Using compromised Entra Connect Sync servers, they enumerated cloud resources with AzureHound. Although Conditional Access policies initially blocked them, Storm-0501 found a non-human synced identity with Global Administrator rights and no MFA. By resetting its on-premises password, they escalated to full cloud control .
- Persistence: Storm-0501 established a backdoor by maliciously adding federated domains into Entra ID, enabling them to impersonate nearly any user with crafted SAML tokens.
- Azure Exploitation: With Global Admin access, the group elevated to User Access Administrator and then Owner roles across all Azure subscriptions, mapping critical storage and backup resources.
- Impact Phase: They abused legitimate Azure operations to:
-
- Exfiltrate data using AzCopy.
- Delete backups and storage accounts with operations like
Microsoft.Storage/storageAccounts/delete. - Attempt cloud-based encryption via new Key Vaults and encryption scopes.
As Microsoft summarizes, “In cloud-based ransomware attacks, cloud features and capabilities give the threat actor the capability to quickly exfiltrate and transmit large amounts of data, destroy the data and backup cloud resources in the victim cloud environment, and then demand the ransom.”
In a final twist, Storm-0501 used Microsoft Teams, logging in as a compromised user, to directly contact victims during the extortion phase.
Storm-0501’s evolution shows how ransomware actors are adapting to the hybrid and cloud-first world. By abusing legitimate Azure operations and exploiting identity gaps, they no longer need malware to achieve devastating results.
Related Posts:
- Storm-0501 Targets Hybrid Clouds with Evolving Ransomware Tactics
- Broadcom & Canonical Join Forces to Supercharge AI and Cloud with Ubuntu
- Destructive npm Packages Deleting Files, Hijacking Frameworks for 2+ Years
- Scattered Spider Targets the Cloud: A Growing Threat to the Insurance and Financial Sectors
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
