Storm-0501 refines tactics to exploit hybrid cloud environments by rapidly exfiltrating large data volumes, destroying backups, and demanding ransom without deploying conventional malware. The group targets sectors including government, manufacturing, transportation, and law enforcement in the U.S. Active since 2021, the group evolved into a ransomware-as-a-service affiliate using multiple ransomware families such as Sabbath, Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo. Attackers abuse initial access to escalate privileges to domain administrators, perform on-premises lateral movement and reconnaissance, hunt for unmanaged devices and cloud security gaps, and sometimes traverse tenants in multi-tenant setups.
"Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key, cloud-based ransomware introduces a fundamental shift," the Microsoft Threat Intelligence team said in a report shared with The Hacker News. "Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom -- all without relying on traditional malware deployment."
Storm-0501 was first documented by Microsoft almost a year ago, detailing its hybrid cloud ransomware attacks targeting government, manufacturing, transportation, and law enforcement sectors in the U.S., with the threat actors pivoting from on-premises to cloud for subsequent data exfiltration, credential theft, and ransomware deployment. Assessed to be active since 2021, the hacking group has evolved into a ransomware-as-a-service (RaaS) affiliate delivering various ransomware payloads over the years, such as Sabbath, Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo.
Collection
[
|
...
]