Microsoft Threat Intelligence today released a report detailing how the financially motivated group Storm-0501 has sharpened its ransomware tactics. The researchers warn that the threat actor now exploits hijacked privileged accounts to move seamlessly between on‑premises and cloud environments, encrypt data and carry out mass deletions of cloud resources, including backups.
“They’re not just encrypting the data; they’re deleting backups so that you can’t say, ‘Oh, that’s fine, we’ll recover from this, we’re not going to pay a ransom,’” Sherrod DiGrippo, director of threat intelligence strategy at Microsoft, told CSO. “It’s a truly brutal ransomware attack chain to play.”
The attack chain unfolded in a large enterprise comprised of multiple subsidiaries, each operating its own Active Directory domain. All domains were interconnected via domain trust relationships, enabling cross‑domain authentication and resource access. Microsoft noted that only one tenant had Defender for Endpoint deployed, and devices from several AD domains were onboarded to that single tenant’s license, creating visibility gaps across the environment. The threat actor reportedly checked for the presence of Defender for Endpoint services, suggesting a deliberate effort to avoid detection by targeting systems not onboarded to Defender.
Storm-0501 then moved laterally using Evil‑WinRM, a post‑exploitation tool that uses PowerShell over Windows, and carried out a DCSync attack to simulate the behavior of a domain controller Remote Management (WinRM) for remote code execution, enabling it to request password hashes for any user in the domain, including privileged accounts. Even with valid credentials, the attackers often lacked the necessary second MFA factor or policy compliance; nevertheless they leveraged on‑premises control to pivot across AD domains and locate a non‑human synced global admin identity that could be used to reset a password and establish persistence across the environment.
Microsoft says Storm‑0501 created a backdoor by adding a malicious federated domain, enabling sign‑in as nearly any user, mapping the environment, and understanding its protections. The group then targeted Azure Storage accounts, exfiltrating data to its own infrastructure. After data exfiltration, the attackers mass‑deleted Azure resources, including backups; for files protected by resource locks or Azure Storage immutability policies, they encrypted the remaining cloud data and began the extortion phase, contacting victims through the Microsoft Teams account of a compromised user.
A key takeaway, according to Microsoft, is the attack’s reliance on hybrid environments that combine on‑prem and cloud assets. DiGrippo emphasized that attackers escalate privileges on both sides of the environment, destroy backups, and press organizations into a no‑win situation where paying may be the only option short of shutdown.
In light of these findings, security leaders are advised to enforce least‑privilege access, ensure their ransomware playbooks are current and practiced, and conduct comprehensive audits of on‑prem environments. DiGrippo urged organizations to reassess which assets should be migrated to the cloud and which should be hardened on‑prem, warning that hybrid environments can be particularly vulnerable if protections are uneven across environments.