Microsoft details Storm-0501’s focus on ransomware in the cloud

A financially motivated threat group operating since 2021 has refined its technical tradecraft, honing its focus on cloud-based systems that allow it to expand ransomware operations beyond the scope of on-premises infrastructure, Microsoft Threat Intelligence said in a report released Wednesday.

By leveraging cloud-native capabilities, Storm-0501 has exfiltrated large volumes of data with speed, destroying data and backups within victim environments and encrypted systems. “This is in contrast to threat actors who may have relied solely on malware deployed to endpoints,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said in an email.

“This evolution is about both a technical shift and a change in impact strategy,” DeGrippo said. “Instead of just encrypting files and demanding ransom for decryption, Storm-0501 now exfiltrates sensitive cloud data, destroys backups, and then extorts victims by threatening permanent data loss or exposure.”

Storm-0501 targets opportunistically by searching for unmanaged devices and security gaps in hybrid cloud environments. By exploiting these vulnerabilities, it can evade detection, escalate its access privileges and sometimes move between user accounts. This approach amplifies the impact of its attacks and raises its chance for a payout, according to Microsoft.

The threat group recently compromised a large enterprise with multiple subsidiaries that each operated standalone Active Directory domains and separate Microsoft Azure instances with varying security tool coverage linked to several Entra ID tenants. “This fragmented deployment created visibility gaps across the environment,” researchers said in the report. 

Storm-0501 searched for Active Directory domains that did not have endpoint detection enabled. Once it gained a foothold in an Active Directory environment, it hopped to other domains and eventually compromised a separate Entra Connect server associated with a different Entra ID tenant and Active Directory domain.

“Many organizations have on-prem assets that are of extremely high criticality, often too fragile or legacy to move to the cloud,” DeGrippo said. “This is what provides such a significant weakness in these environments.”

The reconnaissance allowed the threat group to gain deep visibility into the organization’s security tooling and infrastructure. Storm-0501 identified a non-human identity associated with Global Administrator privileges on that Entra ID account that lacked multifactor authentication. 

The threat group successfully reset the user’s on-premises password, synced it to the cloud identity of that user and registered a new MFA method under their control. With that level of access, Storm-0501 achieved full control over the cloud domain and used the highest possible cloud privileges to achieve their goals, researchers said. 

Storm-0501 eventually took control of the victim organization’s Azure environment, located critical assets and abused their Azure Owner role to access and steal keys that allowed it to exfiltrate data. Microsoft said the threat group then performed cloud-based encryption and deleted Azure resources en masse before it initiated extortion by contacting victims on Microsoft Teams using one of the previously compromised user’s accounts.

“Storm-0501 is driving a major shift in ransomware tactics,” DeGrippo said. “Hybrid and cloud environments are uniquely vulnerable. Storm-0501 exploits gaps between on-prem and cloud security, showing that organizations with hybrid architectures are at greater risk if they don’t have unified visibility and controls.”