Microsoft has warned that the ransomware group Storm-0501 has been observed stealing large volumes of data, deleting cloud backups and demanding ransoms, without relying on traditional malware deployment.
Storm-0501 is described as a “financially motivated” ransomware group, active since 2021. It was initially known for attacks targeted US school districts, before moving toward a Ransomware-as-a-Service model.
The threat actor, first detected by Microsoft last year, has been tracked targeting hybrid cloud-environments and deploying on-premises endpoint ransomware. The group has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S.
Microsoft has recently warned that the gang has now shifted its focus to cloud-based ransomware tactics.
In a recent report, the tech giant describes in detail the impact of an attack on a compromised cloud environment.
“Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key, cloud-based ransomware introduces a fundamental shift,” the company said.
Why This Matters
Understanding how ransomware gangs are evolving attack methodologies is crucial to ensure networks are protected.
In their report, Microsoft outlines several steps that organizations can take to ensure their environments are protected from cloud-based ransomware, including bolstering protections for cloud identities and improving detection capabilities.
How The Attack Works
Storm-0501’s approach is a shift from traditional ransomware. Instead of deploying malware across endpoints to encrypt files, the group exploits cloud-native capabilities to rapidly exfiltrate data, destroy backups, and demand ransom.
Microsoft’s report outlines a typical attack chain, analyzing what happens after an attacker has already compromised a system by obtaining domain administrator privileges.
- On-premises foothold: The group initially compromises Active Directory environments, often targeting under-protected devices and servers. They use tools like Evil-WinRM and DCSync to extract credentials and move laterally.
- Pivot to cloud: Using compromised accounts, Storm-0501 targets Microsoft Entra ID (formerly Azure AD) to escalate privileges. Non-human synced accounts without multifactor authentication are particularly vulnerable.
- Cloud privilege escalation: The attackers gain Global Administrator access and exploit cloud identities to control Azure resources, often bypassing Conditional Access policies through careful lateral movement and device compromise.
- Data exfiltration and destruction: Using Azure tools like AzCopy, Storm-0501 steals data from cloud storage accounts. They then delete backups and other resources, sometimes encrypting remaining data to make recovery impossible.
- Extortion: Once the victim’s environment is compromised and critical data is inaccessible, the group contacts the organization, often through compromised internal channels like Microsoft Teams to demand ransom.
How To Stay Protected
To protect on-premises systems, Microsoft advises that teams enable tamper protection to prevent attackers from stopping security services like Microsoft Defender for Endpoint.
Microsoft also recommends teams should follow the principle of least privilege, auditing privileged accounts in Microsoft Entra ID and Azure.
Conditional Access policies can limit access from untrusted IP addresses and enforce Multi-Factor Authentication (MFA), particularly for high-risk accounts.
Finally, general security hygiene can help slow or stop attacks.
Regular monitoring of cloud audit logs, and implementing XDR, enables organizations to detect suspicious logins, lateral movement, and attempts to elevate privileges or manipulate cloud resources.
