Threat Actor Storm-0501 Deploys Ransomware In Cloud Environments

Microsoft Threat Intelligence observes that a financially motivated cyber-threat actor, tracked as Storm-0501, has shifted its techniques to better exploit cloud environments. Previously known for hybrid on-premises attacks, the threat actor now prioritizes cloud-native ransomware strategies to speed up data theft, sabotage backups, and demand ransom without the need for traditional malware deployment.

Storm-0501 began targeting US school districts in 2021 using Sabbath ransomware. Over time, it targeted healthcare and other sectors, switching payloads, including Embargo ransomware in 2024. In September 2024, Microsoft documented Storm-0501's move into hybrid cloud environments. The group acquired domain administrator access via Active Directory compromise, escalated privileges in Microsoft Entra ID, and deployed on-premises ransomware or created backdoors in cloud identity configurations via malicious federated domains.

Security analysts note that Storm-0501 often scans for unmanaged devices and security gaps. Gaps in endpoint protection and hybrid cloud controls help it evade detection and gain elevated privileges across tenants.

Once vulnerable infrastructure was found, Storm-0501 infiltrated a large enterprise with multiple subsidiaries, each operating independent Active Directory domains unified by trust relationships. Threat actors discovered that only one of the connected Microsoft Azure tenants had Defender for Endpoint enabled. The attacker exploited visibility gaps across the network.

After attaining domain administrator access, the threat actor performed the following steps to secure persistence, remain undetected, and move laterally across the networked infrastructure:

• Checked for Defender for Endpoint using services like sc query sense and sc query windefend, avoiding detection on non-onboarded systems.
• Moved laterally using Evil-WinRM and executed reconnaissance via native Windows tools like quser.exe and net.exe.
• Used a DCSync attack to mimic a domain controller and extract password hashes from Active Directory.

Cloud Access via Entra ID Compromise

The attacker leveraged the Entra Connect Sync Directory Synchronization Account (DSA) to enumerate identities and resources in the connected Entra ID tenant. Tools like AzureHound assisted in this endeavor, enabling the mapping of permissions and resources.
Analysts did discover that initial authentication attempts using stolen credentials failed due to Conditional Access policies and MFA. However, Storm-0501 quickly pivoted and compromised a second Entra Connect server linked to another tenant and repeated reconnaissance.

At that point, the attacker identified a non-human synced identity assigned to the Global Administrator role in Entra ID. Unfortunately, that account lacked any MFA. The attacker reset its on-premises password and is waiting for synchronization to the cloud.

After gaining access, they registered a new MFA method under their control, letting them bypass Conditional Access when logging in from a hybrid-joined device. Once Storm-0501 met the conditions of Conditional Access, the attacker accessed the Azure portal as Global Administrator, gaining complete control over the cloud domain.

With Global Admin privileges, Storm-0501 used AADInternals to register a malicious federated domain in the victim's Entra ID tenant. This domain established trust between their malicious tenant and the target, enabling them to craft SAML tokens to impersonate almost any user. This effectively creates a backdoor for the threat actor to exploit when necessary.

Once inside the Azure environment, the attacker elevated themselves via the Microsoft.Authorization/elevateAccess/action operation, becoming User Access Administrator across all subscriptions. They then assigned themselves the Owner role using Microsoft.Authorization/roleAssignments/write.

Storm-0501 mapped the Azure environment—identifying critical data stores and backup resources, along with existing protections like resource locks and immutability policies. The threat actor then abused Azure Storage's public access features to expose storage accounts to the internet. Using the Owner role, they extracted storage account keys and exfiltrated data via the AzCopy command-line tool.

To add salt to the wound further, Storm-0501 initiated mass deletion of Azure storage accounts using Microsoft.Storage/storageAccounts/delete. When protections resisted deletion, the attacker removed resource locks and immutability policies and attempted again.

For accounts that remained protected, the attacker resorted to cloud-based encryption—creating a Key Vault with a customer-managed key, using Azure Encryption scopes to encrypt those storage accounts. After exfiltration and destruction, Storm-0501 demanded ransom, often contacting victims via Microsoft Teams using the compromised accounts.

Storm-0501 exemplifies the evolution of ransomware, from encryption-focused attacks to strategic cloud-based extortion relying on identity and privilege escalation across environments. This evolution is seemingly driven by a move from endpoint malware to exploiting cloud-native features. This depends on the victim having a fragmented infrastructure or incomplete security in hybrid cloud setups, which creates critical gaps.

Threat actors employing these techniques heavily exploit the victim's Active Directory security gaps. Maintaining and monitoring the Active Directory is critical for network defenders in protecting assets. As Storm-501 has shown, threat actors can quickly exfiltrate and delete data to prevent easy recovery.