Microsoft has reported a significant shift in tactics by Storm-0501, a financially motivated threat group active since 2021. Previously associated with ransomware such as Sabbath, Storm-0501 now conducts cloud-native attacks that do not rely on traditional malware. The group targets data theft, backup deletion, and resource lockdown using the victims’ own cloud services, subsequently issuing ransom demands.
The company’s researchers say this marks a turning point in the evolution of ransomware. Rather than unleashing an executable across infected endpoints, Storm-0501 now exploits built-in cloud features to gain control and apply pressure. “Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom, all without relying on traditional malware deployment,” Microsoft explained in its latest bulletin.
The group, which previously worked with ransomware-as-a-service schemes involving Hive, BlackCat, Hunters International, LockBit, and Embargo, was already experimenting with hybrid cloud attacks by 2024. Microsoft described at the time how its operators pivoted from compromised Active Directory servers to Entra ID tenants, gradually escalating to global administrator privileges.
In its most recent campaign, the intruders breached a large enterprise by exploiting outdated servers and poorly secured accounts. A directory synchronization account was exploited for reconnaissance, and subsequently, the attackers identified a Global Administrator profile that lacked multifactor authentication. For lateral movement and credential dumping, the attackers leveraged proven techniques and tools, such as Evil-WinRM, which enables remote PowerShell code execution over WinRM, and DCSync attacks, to extract password hashes using Active Directory replication protocols.
After resetting the password and registering their own MFA method, Storm-0501 secured full access. They then registered attacker-controlled federated domains to preserve entry, escalated privileges across Azure subscriptions, and targeted recovery points, snapshots, and vaults. These domains enabled Storm-0501 to generate Security Assertion Markup Language (SAML) authentication tokens, allowing for persistent and covert impersonation of victim users even after passwords had been changed.
Where deletion failed, the group created new Key Vaults and customer-managed keys to encrypt storage accounts, rendering data inaccessible. Ransom demands followed, sometimes delivered directly via compromised Microsoft Teams accounts.
Microsoft has introduced additional safeguards in Entra ID and advised enterprises to strengthen identity protections, enforce multifactor authentication, and monitor privileged activity. This development demonstrates that ransomware is no longer limited to malicious software on local systems but increasingly manifests within cloud infrastructure critical to organizational resilience.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
