Storm-0501 Shifts to Cloud Ransomware in Sophisticated Hybrid Attack

Cybercriminal group Storm-0501 recently carried out a ransomware-style attack that breached both on-premises and cloud environments of an enterprise victim. The campaign highlights the group’s shift from traditional endpoint-focused tactics to more sophisticated cloud-based ransomware operations.

Storm-0501 is a financially driven cybercriminal group that has been active since 2021. It’s known for launching ransomware attacks using payloads like Sabbath, Hive, and Embargo. This group initially focused on compromising on-premises systems, and it has recently shifted its strategy toward cloud-based ransomware. The threat actor leverages identity theft and misconfigured cloud environments to infiltrate hybrid infrastructures and execute data destruction without deploying traditional malware.

According to Microsoft, Storm-0501 previously relied on traditional ransomware tactics, which involve encrypting files on infected endpoints and demanding payment for decryption. Now, the group has shifted to cloud-native ransomware strategies that focus on stealing large volumes of data, destroying backups, and extorting victims by exploiting cloud identities and misconfigurations.

“Storm-0501 has continued to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows,” the Microsoft Threat Intelligence team explained. “They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some cases, traverse tenants in multi-tenant setups to achieve their goals.”

The threat group leverages hybrid cloud environments by moving between on-premises and cloud systems. It uses compromised Active Directory and Microsoft Entra ID accounts to escalate privileges. Their attacks often target unmanaged devices, visibility gaps, and multi-tenant environments, which makes it difficult for organizations to detect and contain breaches across interconnected platforms.

How Storm-0501 infiltrates hybrid environments?

In a recent campaign, Storm-0501 infiltrated a large enterprise with multiple subsidiaries, each running its own Active Directory domain connected through trust relationships. The attackers exploited a major visibility gap that only one tenant had Microsoft Defender for Endpoint deployed, and devices from various domains were onboarded to this single tenant, leaving many systems unprotected. Storm-0501 actively searched for Defender services to avoid detection and used tools like Evil-WinRM and native Windows commands for lateral movement.

The group initially compromised an Entra Connect Sync server that lacked Defender for Endpoint protection, and used it as a pivot point to move across the enterprise network. They executed a DCSync attack to extract password hashes, and then shifted to the cloud. The attackers leveraged the Directory Synchronization Account (DSA), enumerated users and Azure resources using AzureHound.

Microsoft observed that initial attempts to access privileged cloud accounts were blocked by Conditional Access and multi-factor authentication (MFA). However, Storm-0501 adapted by compromising another Entra Connect server and identifying an admin account without MFA enabled to gain full control over the cloud environment.

How to defend against cloud-based ransomware attacks?

Overall, IT teams should adopt a multi-layered security approach to protect organizations from cloud-based ransomware attacks. First, they should ensure comprehensive endpoint protection across all devices and domains to eliminate visibility gaps. Moreover, tools like Microsoft Defender for Endpoint should be deployed consistently and monitored for signs of tampering or evasion.

Secondly, enterprise admins must strengthen identity and access management by enforcing MFA for all accounts. Moreover, they should regularly audit permissions to avoid over-privileged roles and misconfigured cloud identities. Administrators are advised to monitor tools used to detect unusual behavior, such as privilege escalation or lateral movement across domains.

Finally, it’s highly recommended to secure hybrid environments by protecting Entra Connect Sync servers. Organizations should also implement Conditional Access policies, segment networks, and conduct regular threat simulations to protect against identity-based attacks.