A threat actor has destroyed data and backups following exfiltration in a victim’s Microsoft Azure environment in a novel cloud-based ransomware attack.

Microsoft Threat Intelligence recently provided details of the tactics deployed by the actor tracked as Storm-0501 in a blog published on August 27. Ultimately the threat actor prevented the victim from taking effective remediation and mitigation action by restoring data.

The group leveraged cloud features and capabilities to rapidly exfiltrate and transmit large amounts of data from the victim environment to their own infrastructure. This enabled them to undertake an effective ransomware attack without relying on traditional malware on-premises deployment.

Storm-0501 is a financially motivated threat actor which has adapted its tactics on multiple occasions since it first emerged in 2021. This includes switching ransomware payloads multiple times, including the use of Embargo ransomware in 2024 attacks.

The group’s targeting is opportunistic and its victims include schools and healthcare organizations.

Microsoft previously reported in September 2024 that Storm-0501 had extended its on-premises ransomware operations into hybrid cloud environments.

Sherrod DeGrippo, director of Microsoft threat intelligence strategy, told Infosecurity that the campaign marks a significant evolution in ransomware techniques.

“We have previously seen threat actors targeting hybrid on-prem and cloud environments. In the case of Storm-0501, the threat actor is exfiltrating data, deleting backups, and encrypting data before demanding ransom. This, combined with the threat actor’s focus on obtaining persistent access shows a significant evolution for the ransomware landscape as a whole,” she commented.

“This technique is likely to be adopted by other threat actors on a broader basis,” DeGrippo added.

Storm-0501 Pivots to the Cloud

In the recent campaign, Storm-0501 compromised a large enterprise composed of multiple subsidiaries, each operating its own Active Directory domain.

Post compromise activity impacted two tenants, with the latter ultimately resulting in access to the organization’s valuable data stores that resided in Azure.

The attackers looked to pivot from on-premises to the cloud in both the tenants.

The attacker achieved domain administrator privileges in the first tenant. It deployed the post-exploitation tool Evil-WinRM to facilitate lateral movement.

The threat actor also compromised an Entra Connect Sync server, which served as a pivot point for lateral movement.

Additionally, Storm-0501 performed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller. By impersonating a domain controller, the threat actor could request password hashes for any user in the domain, including privileged accounts.

The Entra Connect Sync Directory Synchronization Account (DSA) was used to enumerate users, roles and Azure resources within the tenant.

Shortly after, Storm-0501 unsuccessfully attempted to sign in as several privileged users, likely blocked by conditional access policies and multifactor authentication (MFA).

The actor then turned its attention to the second tenant. This process began by traversing between Active Directory domains, eventually compromising a second Entra Connect server associated with a different Entra ID tenant.

The threat actor extracted the Directory Synchronization Account to repeat the reconnaissance process, this time targeting identities and resources in the second tenant.