Storm-0501 utilizes Entra ID to extract and erase Azure data during hybrid cloud attacks

The financially motivated threat actor known as Storm-0501 has been observed refining its tactics to conduct data exfiltration and extortion attacks targeting cloud environments. Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key, cloud-based ransomware introduces a fundamental shift. The Microsoft Threat Intelligence team reported that Storm-0501 leverages cloud-native capabilities to rapidly exfiltrate large volumes of data, destroy data and backups within the victim environment, and demand ransom—all without relying on traditional malware deployment. First documented by Microsoft almost a year ago, Storm-0501 has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S., pivoting from on-premises to cloud for subsequent data exfiltration, credential theft, and ransomware deployment.

Active since 2021, Storm-0501 has evolved into a Ransomware-as-a-Service (RaaS) affiliate, delivering various ransomware payloads over the years, including Sabbath, Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo. The group has demonstrated proficiency in moving between on-premises and cloud environments, showcasing how threat actors adapt as hybrid cloud adoption grows. They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges, sometimes traversing tenants in multi-tenant setups to achieve their goals. Typical attack chains involve the threat actor abusing their initial access to achieve privilege escalation to a domain administrator, followed by on-premises lateral movement and reconnaissance steps that allow them to breach the target’s cloud environment. Recent campaigns have seen Storm-0501 conduct reconnaissance and lateral movement across networks using Evil-WinRM, as well as executing DCSync Attacks to extract credentials from Active Directory by simulating the behaviour of a domain controller.