{"id":4559,"date":"2025-08-27T16:00:00","date_gmt":"2025-08-27T16:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4559"},"modified":"2025-08-27T16:00:00","modified_gmt":"2025-08-27T16:00:00","slug":"storm-0501-debuts-a-brutal-hybrid-ransomware-attack-chain","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4559","title":{"rendered":"Storm-0501 debuts a brutal hybrid ransomware attack chain"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Microsoft Threat Intelligence today released <a href=\"https:\/\/aka.ms\/Storm-0501-cloud-based-ransomware\">a report<\/a> on the financially motivated group Storm-0501, warning that the threat actor has sharpened its ransomware tactics by exploiting hijacked privileged accounts to move seamlessly between on-premises and cloud environments, exploiting visibility gaps to encrypt data and carry out mass deletions of cloud resources, including backups.<\/p>\n<p>\u201cThey\u2019re not just encrypting the data; they\u2019re deleting backups so that you can\u2019t say, \u2018Oh, that\u2019s fine, we\u2019ll recover from this, we\u2019re not going to pay a ransom,\u2019\u201d <a href=\"https:\/\/www.linkedin.com\/in\/sherroddegrippo\/\">Sherrod DiGrippo<\/a>, director of threat intelligence strategy at Microsoft, tells CSO. \u201cIt\u2019s a truly brutal ransomware attack chain to play.\u201d<\/p>\n<p>Given how this starkly intrusive approach ups the extortion ante, CISOs are well-advised to review and restrict the number of privileged accounts they have, revisit their ransomware playbooks, and reexamine whether their on-premises assets should be moved to the cloud.<\/p>\n<h2 class=\"wp-block-heading\">How the attack chain works<\/h2>\n<p>Microsoft recounts a recent campaign in which Storm-0501 compromised a large enterprise composed of multiple subsidiaries, each operating its own Active Directory domain. All the domains are interconnected through domain trust relationships, enabling cross-domain authentication and resource access.<\/p>\n<p>Only one of these tenants had Microsoft Defender for Endpoint deployed. Devices from multiple Active Directory domains were onboarded to this single tenant\u2019s license, which created visibility gaps across the environment. Microsoft notes that the threat actor checked for the presence of Defender for Endpoint services, suggesting a deliberate effort to avoid detection by targeting non-onboarded systems.<\/p>\n<p>Storm-0501 then moved laterally across the premises using Evil-WinRM, a post-exploitation tool that utilizes PowerShell over Windows. The group then performed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller Remote Management (WinRM) for remote code execution, which gave it the ability to request password hashes for any user in the domain, including privileged accounts.<\/p>\n<p>Although Storm-0501 had valid credentials, it didn\u2019t have the necessary second MFA factors, nor was it able to satisfy policy conditions. They could, however, leverage on-premises control to pivot across Active Directory domains and find a <a href=\"https:\/\/www.csoonline.com\/article\/3828216\/understanding-owasps-top-10-list-of-non-human-identity-critical-risks.html\">non-human synced global admin identity<\/a> that lacked MFA to reset the user\u2019s on-premises password, sign in to the Azure portal as a global admin account, and achieve complete control over the domain while establishing a persistence mechanism.<\/p>\n<p>Microsoft says Storm-0501 created a backdoor using a maliciously added federated domain, enabling them to sign in as almost any user, map out the entire environment, and understand its protections. The threat actor then targeted the organization\u2019s Azure Storage accounts, exfiltrating data to its own infrastructure.<\/p>\n<p>After exfiltrating all the data, the group then mass-deleted Azure resources, including backups. For those files that could not be deleted due to Azure resource locks and Azure Storage immutability policies, the threat actor just encrypted everything in the cloud and began the extortion phase, contacting the victims using the Microsoft Teams account of one of the previously compromised users.<\/p>\n<h2 class=\"wp-block-heading\">A holistic approach to put organizations under pressure<\/h2>\n<p>Microsoft\u2019s DiGrippo emphasizes that the unique aspect of this new method is that it leverages hybrid environments that have both on-prem and cloud assets. \u201cThey put you in a situation where you\u2019re under a significant amount of pressure because they\u2019ve escalated privileges for themselves on both your on-prem and your cloud environment, and then they\u2019re destroying your backups, encrypting what data is left, and telling you essentially, you can\u2019t recover from this,\u201d she says. \u201cYou\u2019ll need to pay this ransom or you\u2019re shut down permanently.\u201d<\/p>\n<p>The on-premises equipment is key to Storm-0501 pulling off this attack chain. \u201cWhen the threat actor can get into those because they\u2019re vulnerable, pivot into the cloud, the threat actor really now has the keys to the kingdom,\u201d DiGrippo says.<\/p>\n<p>\u201cThis is not what we traditionally see with most threat actors,\u201d DiGrippo emphasizes. \u201cThey\u2019re getting into the cloud environment, they\u2019re getting into the on-prem environment, they\u2019re deleting the backups, they\u2019re going through those user accounts, finding additional user accounts that they can then breach and obtain persistent access within the environment. It\u2019s a multipronged attack that puts the organization in almost a no-win situation.<\/p>\n<h2 class=\"wp-block-heading\">What CISOs should do<\/h2>\n<p>DiGrippo says that because Storm-0501 exploits overly privileged accounts, using least privilege access is \u201csuper important\u201d for CISOs in helping ward off this attack.<\/p>\n<p>She also thinks CISOs should know what their ransomware playbook is and understand under what circumstances they will pay ransoms and who is authorized to make that decision, who must be involved, and run those playbooks as practice multiple times a year.<\/p>\n<p>Finally, security leaders should consider \u201cdoing a full audit of your on-prem environments and understanding what that risk really presents to your organization,\u201d DiGrippo says. \u201cAs cloud transformations have been completed over the last several years, a lot of organizations just sort of said, \u2018Oh, these are our on-prem, we can\u2019t move that, it\u2019s super-legacy.\u2019\u201d<\/p>\n<p>\u201cNow is the time to really understand what you should be moving to the cloud and what you should be hardening,\u201d DiGrippo warns. \u201cThe biggest lesson for me is that these hybrid environments are incredibly vulnerable and incredibly important.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Microsoft Threat Intelligence today released a report on the financially motivated group Storm-0501, warning that the threat actor has sharpened its ransomware tactics by exploiting hijacked privileged accounts to move seamlessly between on-premises and cloud environments, exploiting visibility gaps to encrypt data and carry out mass deletions of cloud resources, including backups. \u201cThey\u2019re not just [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4560,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4559","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4559"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4559"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4559\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4560"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}