Threat Research

Storm-0501: Ransomware Threats Evolving in Hybrid Cloud Settings | Microsoft Security Blog

Securonix

Storm-0501 has been observed conducting a multi-staged campaign against hybrid cloud environments, blending credential theft, lateral movement, data exfiltration, and ransomware deployment. Since 2021, the financially motivated group has evolved into ransomware operations using open-source and commodity tools, including Embargo as part of a ransomware-as-a-service model. #Storm-0501 #EmbargoRansomware

Keypoints

  • Storm-0501 is a financially motivated cybercrime group active since 2021.
  • Targets span multiple sectors in the U.S., including government and healthcare.
  • Gains initial access by exploiting public-facing vulnerabilities and weak credentials.
  • Uses Impacket SecretsDump for credential access and Cobalt Strike for lateral movement.
  • Exfiltrates data with renamed Rclone binaries to cloud storage, in multi-threaded transfers.
  • Deploys Embargo ransomware under a ransomware-as-a-service model, sometimes as backdoor-only.
  • Pivot from on-premises to cloud (Microsoft Entra ID) via Entra Connect Sync accounts, enabling cloud persistence and MFA-related abuse; Microsoft provides mitigation guidance.

MITRE Techniques

  • [T1003] Credential Dumping – Extracted credentials over the network using Impacket’s SecretsDump module. [‘Utilized Impacket’s SecretsDump module to extract credentials over the network.’]
  • [T1021] Lateral Movement – Used Cobalt Strike to move laterally across the network with compromised credentials. [‘Leveraged Cobalt Strike to move laterally across the network using the compromised credentials.’]
  • [T1041] Data Exfiltration – Exfiltrated data by renaming Rclone binaries and transferring to cloud storage. [‘Used Rclone to exfiltrate data, renaming it to evade detection.’]
  • [T1021.001] Remote Services – Deployed remote monitoring/manage tools (AnyDesk, NinjaOne) for persistence. [‘Used remote monitoring and management tools like AnyDesk and NinjaOne for persistence.’]
  • [T1486] Ransomware – Deployed Embargo ransomware to encrypt files and extort victims. [‘Deployed Embargo ransomware to encrypt files and extort victims.’]

Indicators of Compromise

  • [File name] Embargo ransomware components – PostalScanImporter.exe, win.exe, and 2 more
  • [SHA-256] Embargo ransomware hashes – efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d, a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40

Read more: https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint