Ransomware Attackers Wipe Azure Data and Backups After Theft
▼ Summary
– A threat actor known as Storm-0501 executed a novel cloud-based ransomware attack by destroying data and backups after exfiltration in a Microsoft Azure environment.
– The group used cloud features to rapidly exfiltrate large amounts of data, enabling an effective ransomware attack without traditional on-premises malware deployment.
– Storm-0501 is a financially motivated actor that has opportunistically targeted sectors like schools and healthcare, adapting tactics since 2021 and switching ransomware payloads.
– The attack involved pivoting from on-premises to cloud environments, compromising Entra Connect Sync servers and performing DCSync attacks to gain privileged access and enumerate resources.
– Microsoft experts view this as a significant evolution in ransomware techniques, likely to be adopted by other threat actors due to its effectiveness in preventing remediation.
A new wave of cloud-focused ransomware attacks has emerged, with threat actors now systematically wiping both primary data and backup copies after exfiltration within Microsoft Azure environments. This approach leaves organizations with no viable recovery options, forcing them into a position where paying the ransom may seem like the only recourse. Microsoft’s Threat Intelligence team recently detailed the activities of a group tracked as Storm-0501, highlighting their shift toward hybrid and cloud-based extortion tactics.
The group’s methods represent a significant departure from conventional ransomware deployment. Rather than relying on malware installed on local systems, Storm-0501 exploits native cloud functionalities to rapidly exfiltrate and transfer enormous volumes of data to external infrastructure. This allows them to execute a full-scale attack without ever touching on-premises hardware, making detection and mitigation far more challenging.
Financially motivated and highly adaptive, Storm-0501 has altered its tools and techniques repeatedly since first appearing in 2021. The group has swapped ransomware payloads multiple times, most recently deploying Embargo ransomware in attacks throughout 2024. Their targets are often chosen opportunistically and have included educational and healthcare institutions, sectors where operational continuity is critically important.
Earlier this year, Microsoft warned that Storm-0501 had expanded beyond traditional on-premises operations into hybrid cloud setups. According to Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, this represents a major evolution in the ransomware landscape. She emphasized that the group’s strategy, combining data theft, backup deletion, and encryption, along with their persistent efforts to maintain access, signals a dangerous new phase in digital extortion. DeGrippo also cautioned that these techniques are likely to be adopted by other threat actors in the near future.
In a recent incident involving a large enterprise with multiple subsidiaries, each maintaining its own Active Directory domain, Storm-0501 successfully compromised two Microsoft Entra ID tenants. After gaining domain administrator privileges in the first tenant, the attackers used tools like Evil-WinRM to move laterally across the network. They also compromised an Entra Connect Sync server, using it as a pivot point to escalate access and perform a DCSync attack to harvest password hashes, including those of highly privileged accounts.
Using the synchronized directory account, the threat actor enumerated users, roles, and Azure resources within the initial tenant. Although conditional access policies and multifactor authentication blocked several subsequent login attempts, the group quickly shifted focus to a second tenant. By moving between Active Directory domains and compromising another Entra Connect server, they repeated their reconnaissance process, eventually gaining access to valuable data stores hosted in Azure. This methodical cross-tenant movement underscores the growing sophistication of cloud-oriented cyberattacks.
(Source: InfoSecurity Magazine)
