Microsoft Warns of Ransomware Gangs Exploit Cloud Environments with New Techniques

In a comprehensive analysis of the ransomware landscape in the first quarter of 2025, Microsoft Threat Intelligence has highlighted significant shifts in tactics by threat actors, marking a strategic evolution in their operations.

The analysis reveals a growing trend where ransomware groups are not only expanding their attack vectors but also targeting cloud environments with new and sophisticated techniques.

Ransomware as a Service (RaaS) Affiliates Enter the Scene

For the first time, Microsoft observed a state-affiliated threat actor, Moonstone Sleet from North Korea, engaging with a Ransomware-as-a-Service (RaaS) provider, Qilin, to deploy ransomware.

– Advertisement –

Traditionally, this actor had only utilized custom ransomware, showing a shift towards leveraging established RaaS operators to enhance the efficiency of their attacks.

This development underscores the adaptability of state-sponsored actors in the ransomware ecosystem.

The notable developments in the ransomware ecosystem in the first quarter of 2025 range from a nation-state ransomware threat actor acting as a ransomware-as-a-service (RaaS) affiliate to deploy commodity ransomware for the first time to another threat actor expanding their… pic.twitter.com/yCL2lN4IkO
— Microsoft Threat Intelligence (@MsftSecIntel) April 17, 2025

Hybrid Cloud Environment Vulnerabilities Exploited

The threat actor known as Storm-0501 has been noted for resuming its aggressive targeting of hybrid cloud environments.

This group has refined its approach by exploiting insecure hybrid accounts to move laterally from on-premises environments to cloud resources, where they delete backups and send extortion messages.

This tactic, detailed in previous reports by Microsoft (msft.it/6011S6VuW), demonstrates an understanding of cloud architecture vulnerabilities, making it a prime example of how lateral movement in cloud services is becoming a new frontier for ransomware attacks.

The leak of Black Basta’s group chat messages in February provided a rare insight into the operational intricacies of closed ransomware groups.

The chats revealed the use of Citrix, Jenkins, and VPN exploits, alongside weak ESXi authentication and compromised SSH for lateral movement.

Black Basta, known for its selective and sophisticated targeting, has been noted for its activity overlap with groups like Storm-1674 and others, suggesting an interconnected network of threat actors sharing techniques and infrastructure.

Storm-1175 has been particularly active in exploiting newly disclosed vulnerabilities in remote monitoring and management (RMM) tools like SimpleHelp.

By leveraging critical vulnerabilities CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, this actor has been able to rapidly deploy Medusa ransomware, emphasizing the importance of timely patching and the reuse of known vulnerabilities by ransomware actors.

Fake IT scams continue to serve as a primary initial access vector for many ransomware groups.

Actors like Storm-2410 and Storm-1674 utilize these methods to gain initial footholds, often leading to the deployment of remote access tools like Quick Assist or PowerShell scripts for further control.

The use of these methods indicates an ongoing reliance on social engineering as an effective entry point for ransomware.

Microsoft’s detailed report serves as a critical reminder to enterprises about the evolving nature of ransomware threats, particularly in how they exploit cloud environments and leverage new vulnerabilities or social engineering tactics.

As attackers adapt, so must cybersecurity strategies, focusing not only on traditional endpoint protection but also on securing cloud infrastructure and ensuring robust backup solutions are in place to mitigate the impact of such sophisticated attacks.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Source link