Storm-0501 exfiltrates large volumes of data, destroys data and backups and demands ransom, without relying on malware.
Threat operation Storm-0501 has completely adopted cloud-based ransomware tactics after formerly engaging in hybrid attacks.
According to analysis from Microsoft Threat Intelligence and reported by Bleeping Computer, recent Storm-0501 intrusions involved the exploitation of Microsoft Defender vulnerabilities to breach several Active Directory domains and Entra tenants, with pilfered Directory Synchronisation Accounts and a misconfigured Global Administrator account tapped to facilitate enumeration activities and total admin takeovers.
After bolstering persistence via illicit federated domains, Storm-0501 proceeded to hijack the targeted Azure environment for data exfiltration, backup destruction, and subsequent extortion activities.
"Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key, cloud-based ransomware introduces a fundamental shift" said the report.
“Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all without relying on traditional malware deployment.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
