HQ/EMEAFind out how we can help your business
Microsoft has issued a warning about Storm-0501, a ransomware group that has recently escalated its attack strategies by targeting hybrid cloud environments. Previously known for its ransomware operations within on-premise networks, Storm-0501 now focuses on expanding its reach to cloud infrastructures, aiming to compromise entire networks in their attacks.
Emerging in 2021, Storm-0501 initially acted as an affiliate for the Sabbath ransomware group. Over time, it broadened its involvement, deploying file-encrypting malware from notable ransomware groups such as Hive, BlackCat, LockBit, and Hunters International. Recently, the group has been observed using Embargo ransomware to carry out its operations.
The group’s targets have been wide-ranging, focusing on key sectors like hospitals, government agencies, manufacturers, transportation companies, and law enforcement agencies within the United States. The attack patterns typically begin by exploiting weak credentials and privileged accounts, allowing the group to steal sensitive data and deploy ransomware within compromised networks.
Storm-0501 gains initial access through stolen or purchased credentials or by exploiting known vulnerabilities.
Recent attacks have leveraged flaws in systems such as Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion (CVE-2023-29300, CVE-2023-38203). Once inside, they use hacking tools like Impacket and Cobalt Strike for lateral movement within the network, while disabling security mechanisms through PowerShell commands.
One of the main components of their cloud attack involves leveraging stolen Microsoft Entra ID (formerly Azure Active Directory) credentials to gain access to cloud environments. By compromising Microsoft Entra Connect Sync accounts, which synchronise data between on-premise Active Directory systems and cloud-based Microsoft Entra ID, the group can conduct various sensitive actions, including hijacking user sessions. If they manage to steal the Directory Synchronisation Account credentials, they can use specialised tools to reset cloud passwords, bypassing additional security layers.
The group’s persistence tactics involve setting up a new federated domain within the victim’s Microsoft Entra tenant, allowing them to authenticate as any user they choose. From here, they either deploy Embargo ransomware across the compromised network or maintain backdoor access for future attacks.
Embargo ransomware operates on a ransomware-as-a-service model, written in Rust and used by affiliates who breach company networks. Affiliates receive a share of the profits after deploying the ransomware. In August 2024, a successful attack on the American Radio Relay League resulted in a $1 million ransom payout. Another attack in May 2024 targeted Firstmac Limited, one of Australia’s largest mortgage firms, where 500GB of stolen data was leaked after failed negotiations.
Storm-0501’s evolving tactics signal a shift towards more complex and persistent cloud-targeted ransomware attacks, raising concerns for organisations operating in hybrid environments.
