Microsoft Threat Intelligence has released a detailed report exposing a significant evolution in ransomware attacks, pioneered by the financially motivated threat actor Storm-0501.
The group has shifted from traditional on-premises ransomware to a more destructive, cloud-native strategy that involves data exfiltration and destruction, fundamentally changing the nature of ransomware threats for businesses operating in hybrid cloud environments.
Unlike conventional attacks that encrypt files on local servers and demand payment for a decryption key, Storm-0501’s new method is far more devastating.
The group leverages cloud-native capabilities to first exfiltrate massive volumes of sensitive data, then systematically destroys the original data and any backups within the victim’s cloud environment before demanding a ransom.
This “steal-and-destroy” tactic eliminates the possibility of recovery from local backups and places immense pressure on victim organizations.
The attack chain, as detailed by Microsoft, is a sophisticated blend of on-premises and cloud infiltration. It often begins with a compromise of a company’s local Active Directory.
From this foothold, the attackers pivot to the cloud, targeting Microsoft Entra ID (formerly Azure AD). Their primary objective is to find a high-privilege account, such as a Global Administrator, that lacks robust security, particularly multi-factor authentication (MFA).
In a recent campaign analyzed by Microsoft, Storm-0501 identified a synced, non-human Global Administrator account without a registered MFA method.
The attackers reset the account’s password on-premises, which then synchronized to the cloud. By taking over this account, they were able to enroll their own MFA device, bypassing existing security policies and gaining complete control over the cloud domain.
With top-level administrative access, the attackers elevate their privileges within Azure to become an “Owner” of all the organization’s cloud subscriptions.
They then initiate a discovery phase to map out critical assets, including data stores and backups. Following discovery, they exfiltrate the data using cloud tools like AzCopy.
The final impact phase is swift and catastrophic. Storm-0501 initiates a mass-deletion of Azure resources, including storage accounts, virtual machine snapshots, and recovery vaults.
For data protected by resource locks or immutability policies, the attackers first attempt to disable these protections. If unsuccessful, they resort to encrypting the remaining data with a key they control and then deleting the key, rendering the information permanently inaccessible. The extortion demand is then typically delivered via Microsoft Teams using a compromised account.
To combat these threats, Microsoft is urging organizations to adopt a multi-layered defense strategy. Key recommendations include enforcing phishing-resistant MFA for all users, practicing the principle of least privilege, and ensuring privileged accounts are cloud-native and secured.
Microsoft also highlights the importance of using built-in cloud security features like Microsoft Defender for Cloud, applying resource locks to critical assets, and enabling immutability and soft-delete policies on storage and key vaults to prevent irreversible data loss.
Storm-0501, previously known for attacks on U.S. school districts and the healthcare sector, continues to demonstrate its proficiency in navigating complex hybrid environments, underscoring the urgent need for businesses to adapt their security posture for the cloud era.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
