Washington, D.C. – A financially motivated cybercriminal group known as Storm-0501 has been linked to a series of ransomware attacks targeting critical sectors in the U.S., including government, manufacturing, transportation, and law enforcement. According to Microsoft, the group's multi-stage attack campaigns are designed to compromise hybrid cloud environments, leading to data theft, ransomware deployment, and persistent backdoor access.
The group's tactics involve lateral movement from on-premises systems to cloud environments, exploiting weak credentials, over-privileged accounts, and unpatched vulnerabilities in internet-facing servers such as Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016. These breaches result in data exfiltration, credential theft, and tampering with sensitive systems.
Storm-0501's Evolution and Techniques
Storm-0501 has been active since 2021 and initially focused on targeting educational entities with Sabbath (54bb47h) ransomware. Over time, the group evolved into a ransomware-as-a-service (RaaS) affiliate, delivering various ransomware payloads, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.
The group's preferred method of initial access often involves purchasing established footholds from access brokers such as Storm-0249 and Storm-0900 or exploiting known vulnerabilities in unpatched systems. Once inside a network, Storm-0501 conducts extensive discovery operations to identify high-value assets and gather domain information. The group is also known to perform Active Directory reconnaissance to map out the internal network.
Lateral Movement and Persistence
Storm-0501 employs various tools to maintain persistence and lateral movement across compromised networks. One of its key tools is the remote monitoring software AnyDesk, which is used to sustain long-term access. The group also utilizes the SecretsDump module from the Impacket toolkit, which extracts credentials over the network and allows the attackers to gain further access to other devices.
Once credentials are compromised, the attackers use them to access more systems, extract additional credentials, and conduct brute-force attacks to gain control over specific accounts. They are also known to exfiltrate sensitive data, including KeePass secrets, to further compromise victim organizations.
Hybrid Cloud Ransomware Attacks
Microsoft noted that Storm-0501 frequently deploys Cobalt Strike to move laterally within networks using compromised credentials. The group then uses tools such as Rclone to exfiltrate data to cloud storage services like MegaSync. A hallmark of Storm-0501’s operations is the ability to establish persistent backdoor access to both on-premises and cloud environments, making it particularly dangerous in hybrid cloud setups.
The group has been observed using credentials stolen from Microsoft Entra ID (formerly Azure AD) accounts to pivot from on-premises environments to the cloud. This movement is facilitated by either a compromised Microsoft Entra Connect Sync user account or through cloud session hijacking, especially if multi-factor authentication (MFA) is disabled.
Embargo Ransomware and Double Extortion
The attacks culminate in the deployment of Embargo ransomware, a Rust-based variant first discovered in May 2024. Embargo is part of the RaaS model, allowing affiliates like Storm-0501 to use the platform for ransomware attacks in exchange for a share of the ransom. Storm-0501 uses double extortion tactics, where they encrypt a victim's files and threaten to leak sensitive stolen data unless a ransom is paid.
However, Microsoft has pointed out that Storm-0501 does not always resort to ransomware distribution. In some cases, the group chooses to maintain long-term backdoor access to the compromised network without deploying ransomware.
Broader Context and Other Threats
The disclosure of Storm-0501’s activities comes amidst a broader wave of cyberattacks from other threat actors. Notably, the DragonForce ransomware group has been targeting companies in the manufacturing, real estate, and transportation sectors using a variant of the leaked LockBit 3.0 builder and a modified version of Conti ransomware. These attacks also use tools like SystemBC for persistence, Mimikatz for credential harvesting, and Cobalt Strike for lateral movement.
The U.S. remains a primary target, accounting for more than 50% of ransomware victims, followed by the U.K. and Australia. DragonForce has adopted a similar double extortion model, encrypting data and threatening leaks unless ransoms are paid.
Conclusion
As ransomware attacks continue to evolve in complexity, groups like Storm-0501 and DragonForce pose significant threats to industries across the U.S. and beyond. With their advanced techniques and hybrid cloud strategies, these cybercriminals represent a growing challenge to organizations that rely on both on-premises and cloud environments. As threat actors become more sophisticated, securing networks and enforcing robust authentication methods like multi-factor authentication are critical to mitigating the risks posed by these cybercriminals.
