Storm-0501 Exploits Azure to Steal Data, Wipe Backups, and Demand Ransom

Microsoft has reported that the hacking group Storm-0501 has moved away from traditional ransomware and is now attacking directly in the cloud. Instead of locking individual computers, the group uses cloud tools themselves to steal data, erase backups, and encrypt storage. This makes recovery far harder and raises the pressure on victims to pay.

The change is dangerous because attackers no longer need to deploy malware files. They simply abuse the features already present in cloud platforms like Azure. By controlling admin accounts and using built-in services, they can copy huge datasets, delete recovery options, and even re-encrypt files with their own keys.

The attack usually begins with stolen passwords or flaws in public servers. From that entry point, Storm-0501 spreads inside the company’s network. Using tools like Evil-WinRM and DCSync, they gather domain admin credentials. These accounts then give them the ability to access connected cloud systems.

With access to Entra Connect synchronization accounts, the group pivots into the cloud. They use tools such as AzureHound to map out roles and spot weak accounts. If they find a Global Administrator without multi-factor authentication, they reset its password and attach their own MFA method.

To ensure long-term access, Storm-0501 sometimes sets up a malicious federated domain. This trick allows them to impersonate users and generate valid tokens, bypassing normal login checks. By the time defenders investigate, attackers often have deep control of the cloud environment.

Once control is gained, the group begins extracting data from storage accounts. They use tools like AzCopy to download large volumes of information. At the same time, they try to delete backups and snapshots. When deletion is blocked, they create new encryption keys in Azure Key Vault to lock files away.

Victims are then contacted directly by the attackers. Microsoft found that Storm-0501 has even used compromised Microsoft Teams accounts to deliver ransom notes. By speaking through a trusted internal channel, they increase pressure and make the demand harder to ignore.

The targeting is broad and opportunistic. Education, healthcare, and enterprises with multiple subsidiaries have already been affected. What makes them vulnerable is often inconsistent security, such as some tenants lacking Defender coverage or uneven use of MFA across domains.

Microsoft has issued detailed guidance to defend against this new tactic. The company has restricted permissions on synchronization accounts and updated Entra Connect to support modern authentication. It urges organizations to enforce MFA, limit privileged accounts, secure sync servers with hardware protection, and lock or make backups immutable.

Storm-0501’s move into cloud-based ransomware shows how attackers evolve alongside technology. As more organizations depend on the cloud, criminals are exploiting identity gaps and admin weaknesses. The lesson is clear: protecting hybrid environments requires strong identity controls, consistent monitoring, and secure backups that cannot be tampered with.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news