Microsoft warns that a threat actor tracked as Storm-0501 has evolved its operations, shifting away from encrypting devices with ransomware to focusing on cloud-based encryption, data theft, and extortion.

The hackers now abuse native cloud features to exfiltrate data, wipe backups, and destroy storage accounts, thereby applying pressure and extorting victims without deploying traditional ransomware encryption tools.

Storm-0501 is a threat actor who has been active since at least 2021, deploying the Sabbath ransomware in attacks against organizations worldwide. Over time, the threat actor joined various ransomware-as-a-service (RaaS) platforms, where they used encryptors from Hive, BlackCat (ALPHV), Hunters International, LockBit, and, more recently, Embargo ransomware.

In September 2024, Microsoft detailed how Storm-0501 extended its operations into hybrid cloud environments, pivoting from compromising Active Directory to Entra ID tenants. During these attacks, the threat actors either created persistent backdoors through malicious federated domains or encrypted on-premises devices using ransomware, such as Embargo.

A new report by Microsoft today outlines a shift in tactics, with Storm-0501 no longer relying on on-premises encryption and instead conducting attacks purely in the cloud.

“Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key, cloud-based ransomware introduces a fundamental shift,” reads the report by Microsoft Threat Intelligence.

“Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom—all without relying on traditional malware deployment.”

Cloud-based ransomware attacks

In recent attacks observed by Microsoft, the hackers compromised multiple Active Directory domains and Entra tenants by exploiting gaps in Microsoft Defender deployments.

Storm-0501 then used stolen Directory Synchronization Accounts (DSAs) to enumerate users, roles, and Azure resources with tools such as AzureHound. The attackers eventually discovered a Global Administrator account that lacked multifactor authentication, allowing them to reset its password and gain complete administrative control.

With these privileges, they established persistence by adding malicious federated domains under their control, enabling them to impersonate almost any user and bypass MFA protections in the domain.

Microsoft says they escalated their access further into Azure by abusing the Microsoft.Authorization/elevateAccess/action, which allowed them to ultimately assign themselves to Owner roles, effectively taking over the victim’s entire Azure environment.

Once in control of the cloud environment, Storm-0501 began disabling defenses and stealing sensitive data from Azure Storage accounts. The threat actors also attempted to destroy storage snapshots, restore points, Recovery Services vaults, and storage accounts to prevent the target from recovering data for free.

When the threat actor couldn’t delete data from recovery services, they utilized cloud-based encryption by creating new Key Vaults and customer-managed keys, effectively encrypting the data with new keys and making it inaccessible to the company unless they pay a ransom.

After stealing data, destroying backups, or encrypting cloud data, Storm-0501 moved to the extortion phase, contacting victims through Microsoft Teams using compromised accounts to deliver ransom demands.

Microsoft’s report shares protection advice, Microsoft Defender XDR detections, and hunting queries that can help find and detect the tactics used by this threat actor.

As ransomware encryptors are increasingly blocked before they can encrypt devices, we may see other threat actors shift away from on-premise encryption to cloud-based data theft and encryption, which may be harder to detect and block.