Storm-0501 Hackers Shift to Ransomware Attacks in the Cloud
Summary:
In a recent attack, Storm-0501 infiltrated a large enterprise with multiple subsidiaries and inconsistent Microsoft Defender deployment. After gaining domain administrator access, the group conducted reconnaissance to identify unprotected systems, used tools like Evil-WinRM for lateral movement, and performed a DCSync attack to harvest privileged credentials. They then leveraged Entra Connect Sync accounts to enumerate cloud resources, traversed multiple domains and tenants, and eventually compromised a non-human account with global administrator rights in Entra ID that lacked multifactor authentication. By resetting and syncing passwords, they established control of the cloud environment, registered their own MFA method, and achieved persistent access through a malicious federated domain using AADInternals.
Once global administrator access was secured, Storm-0501 elevated their privileges across Azure resources, assigned themselves Owner roles, and mapped the environment using AzureHound to locate sensitive data and backups. They exfiltrated data through AzCopy, exposed Azure Storage accounts by abusing public access settings, and stole access keys. Afterward, they attempted to cripple recovery by deleting snapshots, restore points, storage accounts, and recovery vaults, and when encountering protections like immutability policies, they tried to override them or encrypt resources with newly created Azure Key Vaults and encryption scopes. Finally, the group erased critical cloud data, demanded ransom, and contacted victims directly via Microsoft Teams accounts belonging to compromised users.
Security Officer Comments:
Storm-0501 has shifted from traditional endpoint ransomware to cloud-based ransomware operations. Instead of deploying malware across endpoints, the group now abuses cloud-native features to exfiltrate and destroy large volumes of data, delete backups, and demand ransom without relying on conventional ransomware payloads. The actor, previously observed using Sabbath ransomware against U.S. school districts in 2021 and later targeting healthcare with different strains such as Embargo, has steadily adapted its methods to exploit hybrid environments. By compromising Active Directory and pivoting into Microsoft Entra ID, Storm-0501 escalates privileges to global administrator roles, often taking advantage of fragmented security coverage, unmanaged devices, or poorly protected Entra Connect Sync servers.
Suggested Corrections:
Microsoft has outlined several mitigation techniques to strengthen cybersecurity defenses against sophisticated threats like those from Storm-0501, as detailed in their recent security blog. Below are key recommendations, with a comprehensive list available at the provided link here:
https://www.microsoft.com/en-us/sec...ng-techniques-lead-to-cloud-based-ransomware/
”To thwart the emerging threat of cloud-based ransomware attacks by Storm-0501 and other such actors, Microsoft recommends applying robust security controls to protect cloud and hybrid environments. Some of the key methods include restricting Directory Synchronization Account (DSA) permissions in Microsoft Entra ID, enabling modern authentication (public preview as of May 2025), and using Trusted Platform Module (TPM) on Entra Connect Sync servers to protect credentials, (Microsoft, 2025).”
Link(s):
https://www.bleepingcomputer.com/ne...ers-shift-to-ransomware-attacks-in-the-cloud/
In a recent attack, Storm-0501 infiltrated a large enterprise with multiple subsidiaries and inconsistent Microsoft Defender deployment. After gaining domain administrator access, the group conducted reconnaissance to identify unprotected systems, used tools like Evil-WinRM for lateral movement, and performed a DCSync attack to harvest privileged credentials. They then leveraged Entra Connect Sync accounts to enumerate cloud resources, traversed multiple domains and tenants, and eventually compromised a non-human account with global administrator rights in Entra ID that lacked multifactor authentication. By resetting and syncing passwords, they established control of the cloud environment, registered their own MFA method, and achieved persistent access through a malicious federated domain using AADInternals.
Once global administrator access was secured, Storm-0501 elevated their privileges across Azure resources, assigned themselves Owner roles, and mapped the environment using AzureHound to locate sensitive data and backups. They exfiltrated data through AzCopy, exposed Azure Storage accounts by abusing public access settings, and stole access keys. Afterward, they attempted to cripple recovery by deleting snapshots, restore points, storage accounts, and recovery vaults, and when encountering protections like immutability policies, they tried to override them or encrypt resources with newly created Azure Key Vaults and encryption scopes. Finally, the group erased critical cloud data, demanded ransom, and contacted victims directly via Microsoft Teams accounts belonging to compromised users.
Security Officer Comments:
Storm-0501 has shifted from traditional endpoint ransomware to cloud-based ransomware operations. Instead of deploying malware across endpoints, the group now abuses cloud-native features to exfiltrate and destroy large volumes of data, delete backups, and demand ransom without relying on conventional ransomware payloads. The actor, previously observed using Sabbath ransomware against U.S. school districts in 2021 and later targeting healthcare with different strains such as Embargo, has steadily adapted its methods to exploit hybrid environments. By compromising Active Directory and pivoting into Microsoft Entra ID, Storm-0501 escalates privileges to global administrator roles, often taking advantage of fragmented security coverage, unmanaged devices, or poorly protected Entra Connect Sync servers.
Suggested Corrections:
Microsoft has outlined several mitigation techniques to strengthen cybersecurity defenses against sophisticated threats like those from Storm-0501, as detailed in their recent security blog. Below are key recommendations, with a comprehensive list available at the provided link here:
https://www.microsoft.com/en-us/sec...ng-techniques-lead-to-cloud-based-ransomware/
”To thwart the emerging threat of cloud-based ransomware attacks by Storm-0501 and other such actors, Microsoft recommends applying robust security controls to protect cloud and hybrid environments. Some of the key methods include restricting Directory Synchronization Account (DSA) permissions in Microsoft Entra ID, enabling modern authentication (public preview as of May 2025), and using Trusted Platform Module (TPM) on Entra Connect Sync servers to protect credentials, (Microsoft, 2025).”
Link(s):
https://www.bleepingcomputer.com/ne...ers-shift-to-ransomware-attacks-in-the-cloud/