Storm-0501 Hackers Transition to Cloud-Based Ransomware Attacks

Microsoft has issued a warning regarding the threat actor known as Storm-0501, which has significantly evolved its operations. The group has shifted from traditional ransomware tactics that involved encrypting devices to a more sophisticated approach focused on cloud-based encryption, data theft, and extortion. By exploiting native cloud features, Storm-0501 is now able to exfiltrate data, wipe backups, and destroy storage accounts, thereby applying pressure on victims without the need for conventional ransomware encryption tools. Active since at least 2021, Storm-0501 initially deployed the Sabbath ransomware and has since engaged with various Ransomware-as-a-Service (RaaS) platforms, utilising encryptors from Hive, BlackCat (ALPHV), Hunters International, LockBit, and more recently, Embargo ransomware.

In a report released in September 2024, Microsoft detailed how Storm-0501 expanded its operations into hybrid cloud environments, transitioning from compromising Active Directory to targeting Entra ID tenants. The threat actors have been observed creating persistent backdoors through malicious federated domains or encrypting on-premises devices using ransomware like Embargo. The report highlights a fundamental shift in tactics, as Storm-0501 no longer relies on on-premises encryption. Instead, they leverage cloud-native capabilities to rapidly exfiltrate large volumes of data, destroy backups, and demand ransom without traditional malware deployment. Recent attacks have seen the hackers exploit vulnerabilities in Microsoft Defender, compromising multiple Active Directory domains and Entra tenants, ultimately gaining complete administrative control over the victims’ Azure environments. 

Categories: Cloud-Based Ransomware, Data Exfiltration and Extortion, Cybersecurity Threats and Vulnerabilities 

Tags: Storm-0501, Ransomware, Cloud-Based, Data Theft, Extortion, Active Directory, Entra ID, Azure, Cybersecurity, Threat Intelligence