Storm-0501 Shifts From On-Premises Ransomware to Cloud-Based Extortion

Summary of Microsoft Warning and Storm-0501’s Operational Shift

Microsoft Threat Intelligence reports that the threat actor tracked as Storm-0501 has altered its playbook. Previously known for on-premises ransomware campaigns (including Sabbath and use of RaaS encryptors from Hive, BlackCat/ALPHV, Hunters International, LockBit, and Embargo), Storm-0501 now prioritizes cloud-focused operations. The actor uses cloud-native features to steal data, delete or corrupt backups, and encrypt cloud storage to pressure victims into paying ransoms — all without deploying traditional endpoint encryptors.

How Storm-0501 Gains Initial Cloud Access and Administrative Control

Microsoft observed Storm-0501 exploiting gaps in Microsoft Defender coverage and other security misconfigurations to compromise Active Directory domains and Entra ID tenants. The adversary reportedly used stolen Directory Synchronization Accounts (DSAs) and tooling such as AzureHound to enumerate users, roles, and Azure resources. In multiple incidents, the actors discovered Global Administrator accounts that were not protected with multifactor authentication (MFA), allowing password resets and full administrative takeover.

Once access was obtained, Storm-0501 abused a privileged API action — Microsoft.Authorization/elevateAccess/action — to assign Owner roles and escalate privileges across Azure subscriptions. With those rights, attackers disabled defenses, modified service configurations, and moved to destructive operations inside cloud tenants.

Techniques Used to Escalate Privileges

After obtaining privileged access, the group established persistence and expanded impersonation capabilities by adding malicious federated domains under their control. This allowed the actor to impersonate legitimate users and bypass MFA protections within the tenant. With Owner-level control, Storm-0501 could configure key resources, manage Key Vaults, and set or alter customer-managed keys — all actions that directly influence recovery and data availability.

Microsoft’s report emphasizes that the actor’s cloud-native persistence and impersonation techniques reduce reliance on malware deployed to endpoints and increase the speed and scale at which the threat actor can operate.

Cloud Data Theft, Backup Destruction, and Cloud-Based Encryption Methods

Storm-0501’s new approach focuses on three complementary pressures:

• Large-Scale Data Exfiltration: Attackers copy sensitive data from Azure Storage accounts and other repositories to external locations under their control.
• Backup and Snapshot Deletion: The group attempts to delete storage snapshots, restore points, Recovery Services vaults, and entire storage accounts to eliminate native recovery options.
• Cloud-Based Encryption: When deletion is not possible, Storm-0501 may create new Key Vaults and customer-managed keys to re-encrypt or lock data, effectively rendering it inaccessible without the attacker-provided keys.

These techniques emulate the functional effects of on-premises encryption but operate entirely within cloud control planes, reducing reliance on endpoint infectors and complicating incident response.

Extortion Phase and Use of Compromised Collaboration Accounts

After exfiltrating or denying access to data, Storm-0501 moves to extortion. Microsoft documented instances where attackers used compromised Microsoft Teams accounts to contact victims and deliver ransom demands directly through the organization’s collaboration channels. This method leverages valid, internal accounts to increase the credibility and urgency of extortion messages.

Microsoft Detection Guidance and Provided Artefacts

Microsoft’s reporting includes protection advice, Microsoft Defender XDR detections, and hunting queries aimed at detecting the specific techniques employed by Storm-0501. Those artefacts help defenders search for indicators such as unusual Directory Synchronization activity, unauthorized role assignments, creation of federated domains, abnormal Key Vault or customer-managed key operations, and attempts to delete Recovery Services resources.

The report underscores the need to review identity hygiene (particularly MFA on Global Administrator accounts), ensure Defender components are deployed correctly, and hunt for the behaviors and artifacts Microsoft has outlined.

Broader Trend: Ransomware Actors Moving Toward Cloud-First Extortion

Microsoft warns that as endpoint encryptors become more widely detected and blocked, other ransomware operators may follow Storm-0501’s lead and adopt cloud-first extortion models. Cloud-native attacks can be faster, more scalable, and sometimes harder to detect because they exploit legitimate control-plane operations and administrative privileges rather than relying on malicious binaries on endpoints.

Observations from Microsoft’s Report

Storm-0501’s shift to cloud-native tactics represents a substantive evolution in extortion tradecraft. By exfiltrating data, destroying backups, and using customer-managed keys to deny access, the actor can achieve the same operational leverage as traditional ransomware groups without deploying on-premises encryptors. Microsoft’s disclosure includes detection rules and hunting queries designed to help enterprise defenders find and disrupt these behaviors.

MITRE ATT&CK Mapping for Storm-0501 Cloud-Focused Operations