Microsoft Threat Intelligence has noted that financially motivated threat actor Storm-0501 ransomware have continued to develop their campaigns to bring a sharpened focus on cloud-based tactics, techniques, and procedures, with their main strategy changing to no longer deploy on-premises endpoint ransomware but employ cloud-based ransomware tactics, which can use cloud-native capabilities to steal large amounts of data within a short timeframe, destroy backups, and demand ransom without involving the deployment of traditional malware.
Threat group develops cloud environment tactics
A threat group of financially motivated actors active since 2021 has perfected its tradecraft, refining its interest in cloud-based infrastructure that enables it to scale ransomware activity beyond the confines of on-premises infrastructure. Microsoft Threat Intelligence published a report on the findings on Wednesday, according to CyberScoop.
Through the cloud-native features, Storm-0501 has stolen data in high amounts and at high speed, deleting data and data backups in the environments of victims and encrypted systems. It is a technical change, as well as an impact strategy change, said Sherrod DeGrippo, director of threat intelligence strategy at Microsoft.
Opportunistic targeting takes advantage of security gaps
Storm-0501 is opportunistic by seeking uncontrolled devices and vulnerabilities to security in hybrid clouds. By capitalizing on these weaknesses, it will be able to avoid detection, increase its access privileges, and occasionally switch between user accounts, which enhances the severity of its attacks and increases its likelihood of a payout.
Sophisticated techniques are exhibited by recent enterprise compromises
Recently, the threat group has attacked a large enterprise that hosted several subsidiaries with independent Active Directory domains and independent Microsoft Azure deployments that had different security tool coverage attached to multiple Entra ID tenants, as reported by Microsoft security blog. This disjointed implementation resulted in gaps of visibility throughout the landscape, researchers stated in the report.
Storm-0501 tried to find Active Directory domains without endpoint detection activated. It found a foothold in an Active Directory environment and then extended to the other domains before later compromising a second Entra Connect server connected to a distinct Entra ID tenant and Active Directory domain.
The reconnaissance provided the threat group with in-depth visibility of the security tooling and infrastructure of the organization. Storm-0501 discovered a non-human identity with Global Administrator privileges at that Entra ID account, which was not multifactor-authenticated, and used it to reset the on-premises password of this user and synchronize to the cloud identity.
Ongoing ransomware on the cloud indicates a profound change in strategy
Some period later, Storm-0501 gained access to the Azure environment of the victim organization, whereby it found valuable assets and used its Azure Owner privileges to access and steal keys that enabled it to steal data. Microsoft reported that the threat group was then carrying out cloud-based encryption and deleting of Azure resources in bulk, and then began to extort the victims by calling them through Microsoft Teams.
Cloud-based ransomware brings a paradigm shift as opposed to the traditional on-premise ransomware, where the malware is deployed to encrypt vital files on endpoints. Within the victim environment, the threat actor quickly steals large amounts of data, deletes data and data backup files, and extorts ransom without deploying standard malware. Storm-0501 is bringing a significant change in the ransomware approaches, as DeGrippo noted. Hybrid and cloud environments have a special vulnerability. The Storm-0501 is using a loophole between on-prem and cloud security.
The threat to the evolution of Storm-0501 into cloud-based ransomware, as noted by Microsoft, emphasizes the importance of the organization reinforcing hybrid cloud security, comprehensive endpoint coverage, and single-line visibility between on-premises and cloud environments to counter the increasingly advanced threat actors that can take advantage of the gaps between modern and traditional infrastructure.