Full Report
Microsoft warns that a threat actor tracked as Storm-0501 has evolved its operations, shifting away from encrypting devices with ransomware to focusing on cloud-based encryption, data theft, and extortion. [...]
Analysis Summary
# Threat Actor: Storm-0501
## Attribution & Identity
Storm-0501 is a threat actor active since at least 2021. The actor has historically been associated with deploying the Sabbath ransomware. Over time, Storm-0501 has leveraged various Ransomware-as-a-Service (RaaS) platforms, utilizing encryptors from Hive, BlackCat (ALPHV), Hunters International, LockBit, and, more recently, Embargo ransomware.
## Activity Summary
Storm-0501 was initially known for encrypting devices using traditional ransomware (like Sabbath). In September 2024, Microsoft observed them extending operations into hybrid cloud environments, pivoting from Active Directory compromise to Entra ID tenants, sometimes deploying Embargo ransomware on-premises. The most recent evolution involves shifting entirely away from on-premises encryption to focus on **cloud-based ransomware** tactics, which involve:
1. Exfiltrating large volumes of data from cloud storage.
2. Destroying data and backups within the victim environment.
3. Applying extortion demands without deploying traditional crypto-malware on endpoints.
4. Encrypting data using customer-managed keys in newly created Key Vaults if data destruction fails.
## Tactics, Techniques & Procedures
- Compromising multiple Active Directory domains and Entra tenants by exploiting deployment gaps in Microsoft Defender.
- Using stolen Directory Synchronization Accounts (DSAs) to enumerate users, roles, and Azure resources.
- Utilizing tools like **AzureHound** for enumeration.
- Discovering un-MFA protected Global Administrator accounts, resetting passwords, and gaining full administrative control.
- Establishing persistence by adding malicious federated domains under their control to impersonate users and bypass MFA.
- Escalating privileges in Azure by abusing the `Microsoft.Authorization/elevateAccess/action` to assign themselves to **Owner roles**.
- Disabling security defenses within the cloud environment.
- Stealing sensitive data from Azure Storage accounts.
- Attempting to destroy storage snapshots, restore points, and Recovery Services vaults.
- Utilizing cloud-based encryption via new Key Vaults and customer-managed keys to lock data.
- Delivering ransom demands via **Microsoft Teams** using compromised accounts.
## Targeting
- **Sectors:** Not explicitly defined beyond organizations utilizing cloud environments (Azure/Entra ID).
- **Geography:** Worldwide ("against organizations worldwide").
- **Victims:** Organizations operating hybrid or cloud environments leveraging Azure/Entra ID.
## Tools & Infrastructure
- **Malware families used:** Sabbath ransomware (historically), Embargo ransomware (previously), and leveraging cloud-native tools/features.
- **Tools Used:** AzureHound.
- **Infrastructure:**
- Malicious federated domains (used for persistence and MFA bypass).
- Azure Key Vaults (used for implementing cloud-based encryption).
- **Communication:** Microsoft Teams.
## Implications
Storm-0501 represents a rapidly adapting threat actor moving toward sophisticated "living off the land" techniques within the cloud. This shift makes detection significantly harder than traditional endpoint ransomware, as they leverage legitimate cloud functions for data destruction and extortion. The ability to seize Owner roles and deploy customer-managed encryption keys provides near-complete control over victim cloud assets.
## Mitigations
- Ensure all Global Administrator accounts within Entra ID are protected by **Multifactor Authentication (MFA)**.
- Limit and monitor the use of the `Microsoft.Authorization/elevateAccess/action`.
- Implement robust monitoring for the creation of new **Azure Key Vaults** and unexpected configuration changes to data storage services.
- Maintain and secure backups outside of immediately accessible recovery services vaults to thwart complete data destruction attempts.
- Harden configurations related to **federated domains** and identity federation.