Storm-0501: Ransomware

Storm-0501 is escalating hybrid cloud attacks by exploiting Microsoft Entra ID to steal data and delete Azure resources. Unlike traditional ransomware, it uses cloud-native methods for rapid exfiltration and extortion, affecting sectors from healthcare to education.
Storm-0501 Threat Advisories-3
You are here:
  1. Home
  2. Threat Advisory
  3. Storm-0501: Ransomware

Overview

Storm-0501 is escalating hybrid cloud attacks by exploiting Microsoft Entra ID to steal data and delete Azure resources. Unlike traditional ransomware, it uses cloud-native methods for rapid exfiltration and extortion, affecting sectors from healthcare to education.

Technical Details

  • Initial Access: Gained via stolen/compromised credentials from access brokers (Storm-0249, Storm-0900) or exploitation of unpatched internet-facing servers (Zoho ManageEngine, Citrix NetScaler, Adobe ColdFusion).
  • Privilege Escalation: Leveraged compromised accounts to escalate to domain admin, then abused Directory Synchronization Accounts to gain Global Admin in Entra ID.
  • Lateral Movement: Used Evil-WinRM for movement across systems; executed DCSync attacks to extract credentials from Active Directory.
  • Persistence: Registered attacker-controlled Entra ID tenant as a trusted federated domain, creating a stealthy cloud backdoor.
  • Credential Access: Extracted sensitive ……

Read Full Report Here!

Download the Report

Date

Share

Previous Reports

Voicemail-Based Remote Access Attack image

Voicemail-Based Remote Access Attack

APT28 Exploiting Microsoft Office RTF image

APT28 Exploiting Microsoft Office RTFZero-Day

macOS RCE via Google Ads Malvertising image

macOS RCE via Google Ads Malvertising