Storm-0501 is shifting from traditional endpoint-based attacks to cloud-native ransomware that exfiltrates large volumes of data, destroys primary data and backups, and rapidly demands ransom without deploying conventional malware. The group expanded operations from on-premises into hybrid cloud environments and compromises Active Directory domains before pivoting to Microsoft Entra ID to escalate privileges on hybrid and cloud identities to gain global administrator rights. Storm-0501 hunts for unmanaged devices and security gaps in hybrid clouds to evade detection, checks for Defender for Endpoint coverage to find visibility gaps, and uses tools like Evil-WinRM to enable lateral movement.
The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware. By leveraging cloud-native capabilities, from the tech giant shows Storm-0501 exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom - all at speed and without relying on traditional malware deployment. This time last year, Microsoft warned that Storm-0501 had extended its on-premises ransomware operations into hybrid cloud environments.
How Storm-0501 operates Microsoft gives the example of one recent campaign in which Storm-0501 compromised a large enterprise composed of multiple subsidiaries. Each operated its own Active Directory domain, all interconnected through domain trust relationships and enabling cross-domain authentication and resource access. However, only one tenant had Microsoft Defender for Endpoint deployed, and devices from multiple Active Directory domains were onboarded to this single tenant's license, creating visibility gaps across the environment.
Collection
[
|
...
]