Cloud-based ransomware intrusions launched by Storm-0501

BleepingComputer reports that threat operation Storm-0501 has completely adopted cloud-based ransomware tactics after formerly engaging in hybrid attacks. More recent Storm-0501 intrusions involved the exploitation of Microsoft Defender vulnerabilities to breach several Active Directory domains and Entra tenants, with pilfered Directory Synchronization Accounts and a misconfigured Global Administrator account then tapped to facilitate enumeration activities and total admin takeovers, respectively, an analysis from Microsoft Threat Intelligence showed. After bolstering persistence via illicit federated domains, Storm-0501 proceeded to hijack the targeted Azure environment for data exfiltration, backup destruction, and subsequent extortion activities. "Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key, cloud-based ransomware introduces a fundamental shift. Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom all without relying on traditional malware deployment," said the report.