Ransomware attacks have been on the rise, with the threat actor Storm-0501 targeting various sectors in the U.S., including government, manufacturing, transportation, and law enforcement. This multi-stage attack campaign aims to compromise hybrid cloud environments, leading to data exfiltration, credential theft, and ransomware deployment, among other malicious activities.
According to Microsoft’s threat intelligence team, Storm-0501 is a financially motivated cybercriminal group that utilizes commodity and open-source tools to carry out ransomware operations. The group has a history of targeting education entities before evolving into a ransomware-as-a-service (RaaS) affiliate, delivering various ransomware payloads over the years.
One notable aspect of Storm-0501’s attacks is the use of weak credentials and over-privileged accounts to move laterally within organizations’ on-premises and cloud environments. The threat actor leverages multiple initial access methods, including access brokers and exploiting known vulnerabilities in internet-facing servers.
Microsoft detected Storm-0501 using Cobalt Strike for lateral movement across networks and data exfiltration to the cloud environment. The group also creates persistent backdoor access and deploys ransomware in on-premises environments, targeting hybrid cloud setups.
As the attacks escalate, Storm-0501 takes advantage of compromised credentials to establish persistent access, transfer data to public cloud storage services, and deploy ransomware across victim organizations. The group’s use of Embargo ransomware, a Rust-based malware, represents the latest threat to hybrid cloud environments.
Operating under the RaaS model, the affiliates behind Embargo employ double extortion tactics, demanding ransom payments in exchange for decrypting files and preventing data leaks. The group has been actively targeting manufacturing, real estate, and transportation sectors, with the U.S. being the primary victim.
Stay informed about the latest cybersecurity threats and trends by following us on Twitter and LinkedIn for more exclusive content and updates.