Ransomware Group Exploits Hybrid Cloud Gaps, Gains Full Azure Control in Enterprise Attacks

The financially motivated threat actor tracked as Storm-0501 has shifted focus on targeting cloud environments for data theft and extortion, Microsoft warns.

Active since at least 2021, Storm-0501 is known for using various ransomware families in attacks against on-premise and hybrid cloud environments, including Sabbath, Alphv/BlackCat, Hive, Hunters International, LockBit, and Embargo.

Last year, the hacking group was seen compromising Active Directory environments, moving to Entra ID, escalating privileges to global administrator, implanting backdoors in Entra ID tenant configurations, and deploying on-premises ransomware for file encryption.

In a recent attack against a large enterprise, the threat actor used similar tactics: it compromised multiple Active Directory domains, performed reconnaissance to identify protected endpoints and evade detection, and moved laterally using the Evil-WinRM post-exploitation tool.

Storm-0501 then compromised an Entra Connect Sync server and impersonated the domain controller to request password hashes for domain users. It also enumerated users, roles, and ...