Storm-0501 Expands Ransomware Reach by Targeting Cloud Infrastructure

Storm-0501 Expands Ransomware Reach by Targeting Cloud Infrastructure

Threat Group: Storm-0501
Threat Type: Ransomware
Exploited Vulnerabilities: Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), ColdFusion (CVE-2023-29300)
Malware Used: Embargo Ransomware
Threat Score: High (8.5/10) — Due to significant lateral movement across hybrid cloud environments, strong persistence mechanisms, and critical data exfiltration.
Last Threat Observation: September 2024 by Microsoft Threat Intelligence

Overview

Storm-0501 is a highly adaptable and financially motivated ransomware group, active since 2021. Initially associated with older ransomware variants like Sabbath and LockBit, the group has evolved to specialize in attacking hybrid cloud environments, where organizations’ infrastructures straddle both on-premises and cloud-based systems. This evolution represents a strategic shift as more companies embrace cloud technologies, making them vulnerable to attacks that leverage both traditional on-premise exploits and cloud vulnerabilities.

Targeting the Hybrid Cloud

Storm-0501 has notably increased its focus on hybrid cloud setups, exploiting weak credentials and vulnerabilities that bridge on-premise and cloud-based systems. By exploiting Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion vulnerabilities (CVE-2023-29300), the group can infiltrate organizations at multiple levels. Once inside, they move laterally within the network, harvesting credentials and using tools like Impacket and Cobalt Strike to achieve deeper control over both local networks and cloud infrastructures.

Once they have gained sufficient access, Storm-0501 frequently uses Embargo—a Rust-based ransomware—developed under a Ransomware-as-a-Service (RaaS) model. This allows affiliates to deploy the ransomware in exchange for a share of the ransom, facilitating broader attack distribution. Embargo, which has emerged as one of their main tools, uses double extortion tactics, where victims' data is not only encrypted but also threatened with exposure if the ransom is not paid.

Attack Flow and Persistence

Storm-0501's attack flow is both sophisticated and persistent. After gaining access, they prioritize stealing credentials and sensitive data, often using Rclone binaries masquerading as legitimate Windows files to exfiltrate data to external cloud services like MegaSync. Their use of stolen Microsoft Entra ID (formerly Azure AD) credentials allows them to pivot from on-prem environments to cloud systems, where they establish persistent backdoor access by creating new federated domains. This allows the group to authenticate as any user within the compromised system, greatly complicating detection and removal.

The attack often culminates with the deployment of Embargo ransomware, but in some cases, Storm-0501 refrains from triggering the ransomware, opting instead to leave backdoors in place for later use. This strategic choice enables them to maintain long-term access and control over compromised networks, making it easier to re-engage victims at a future time.

Notable Attacks

Storm-0501 has targeted critical sectors in the U.S., including government, manufacturing, law enforcement, and transportation. Recent high-profile attacks include breaches of the American Radio Relay League (ARRL), which saw over $1 million paid in ransom for decryption keys, and the Firstmac Limited breach, where 500GB of sensitive data was exfiltrated and threatened to be leaked. These attacks have underscored the urgent need for organizations to secure both their on-prem and cloud infrastructures.

Key Details

  • Initial Access: Stolen credentials, remote code execution vulnerabilities (Zoho ManageEngine, Citrix NetScaler).
  • Target Sectors: U.S. government, law enforcement, manufacturing, transportation.
  • Techniques:
    • Use of Cobalt Strike for lateral movement.
    • Data exfiltration through Rclone, disguised as system processes.
    • Persistent cloud backdoors via federated domain creation.

Known Indicators of Compromise (IoCs)

File Hashes (SHA256):

  • efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d
  • a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40
  • caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031
  • d37dc37fdcebbe0d265b8afad24198998ae8c3b2c6603a9258200ea8a1bd7b4a
  • 53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9
  • d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670
  • c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1

Mitigation and Prevention

  1. User Awareness: Implement rigorous staff training to detect phishing attacks.
  2. Email Filtering: Ensure email systems employ advanced filtering technologies to block malicious attachments.
  3. Antivirus Protection: Keep antivirus solutions up-to-date with capabilities to detect the latest ransomware strains.
  4. Two-Factor Authentication (2FA): Enforce MFA across all admin and cloud accounts to mitigate credential theft.
  5. Regular Patching: Continuously patch known vulnerabilities, particularly in public-facing services, to reduce attack surfaces.
  6. Log Monitoring: Proactively monitor both on-prem and cloud-based logs for suspicious activity or unauthorized access attempts.

Conclusion


The Storm-0501 group presents a grave and evolving threat to organizations worldwide, particularly those operating hybrid cloud environments. Their sophisticated approach, exploiting weak credentials and unpatched systems, allows them to infiltrate networks, steal sensitive data, and deploy destructive ransomware. As cloud adoption accelerates, organizations must strengthen both their on-premises and cloud defenses by adopting multi-factor authentication, patching known vulnerabilities, and constantly monitoring for suspicious activity. With attacks becoming increasingly devastating, prompt and effective action is essential to mitigate future threats from Storm-0501.

Podcast Discussion

 

audio-thumbnail
Storm 0501 Expands Ransomware Reach by Targeting Cloud Infrastructure
0:00
/615.24

Sources:

  1. Microsoft Security Blog - Storm-0501 Ransomware Attacks Expanding to Hybrid Cloud Environments
  2. SecurityWeek - Microsoft: Cloud Environments of US Organizations Targeted in Ransomware Attacks
  3. The Hacker News - Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks