Is Azure Cloud Safe? How Storm-0501 Ransomware Group Attack and Demand Money

What Can Learn from Storm-0501 Ransomware Group Azure Cloud Attacks to Keep Data Safe?

A group of online attackers, known as Storm-0501, has found a new way to cause trouble for businesses. They are targeting the cloud, specifically Microsoft’s Azure cloud services. This is a big deal because many companies store their important information in the cloud. These attackers are not just locking up files; they are stealing data, deleting the originals, and destroying backups. After they have done all this, they demand money, which is called a ransom.

Microsoft has been watching this group and has warned everyone about their new methods. These attacks are a change from what we have seen before. Instead of putting a bad program on a computer to lock the files, this group uses the cloud’s own tools to do the damage. This makes their attacks fast and hard to stop if you are not prepared.

Who Is the Storm-0501 Group?

Storm-0501 is not a new group. They have been active since at least 2021. They are in this for the money. In the past, they have attacked different types of organizations. For example, in 2021, they went after school districts in the United States using a type of ransomware called “Sabbath”. They even leaked stolen data to scare people into paying.

Over the years, they have changed their tools and targets. In November 2023, they attacked the healthcare industry. They have used many different ransomware programs, working as an affiliate for larger ransomware services like Hive, BlackCat, and LockBit. In 2024, they were using a program called “Embargo”. This history shows they are experienced and keep changing their methods to find what works best. Their main goal has always been to get a payout, and they have become very good at it. Now, they have set their sights on the cloud.

A New Kind of Cloud Attack

What Storm-0501 is doing now is different from the ransomware attacks you might have heard about. Understanding this difference is key to protecting yourself.

Old Ransomware Attacks

In a typical attack, criminals would trick someone into downloading a bad program. This program would then spread across the company’s computers, find important files, and lock them with a secret code. The only way to get the code and unlock the files was to pay the criminals a ransom.

The New Cloud Attack

Storm-0501’s new method is much more direct and uses the cloud against itself. They do not need to rely on traditional malware programs anymore. Instead, they break into a company’s cloud account. Once inside, they use the powerful tools available in the cloud to quickly steal huge amounts of data. After the data is copied, they delete everything from the victim’s cloud storage, including all backups. Finally, they contact the company and demand a ransom, threatening to release the stolen information or just leave the company with nothing.

This change is important because it makes many old security methods less effective. It is no longer just about stopping a bad program from running on a computer. Now, it is about controlling who has access to your cloud and what they can do there.

How a Storm-0501 Attack Happens

Microsoft shared the details of a real attack on a large company, which helps us understand exactly how this group operates. The company they attacked was complex. It was made up of many smaller companies, each with its own computer systems but linked together. This complicated setup created security blind spots that the attackers used to their advantage.

Finding a Way In

The attackers first looked for a weak spot in the company’s local, on-premises network. They found a special server called an Entra Connect Sync server. This server’s job is to connect the company’s internal user accounts with their cloud accounts in Microsoft Entra ID (formerly Azure Active Directory). Crucially, this one server was not protected by the company’s security software. The attackers likely used this unprotected server as their main entry point to move around inside the network. They used special tools to get remote control of computers and to steal login information. One technique, called a DCSync attack, let them pretend to be a main server and ask for all the user passwords in the system.

Getting More Power

With the stolen login details, the attackers tried to log into many powerful accounts. At first, they were blocked. Many of the important accounts were protected by something called multi-factor authentication (MFA). MFA is an extra layer of security that requires a code from a phone or another device, in addition to a password. Because the attackers did not have the employees’ phones, they could not get in.

But they kept trying. They found another Entra Connect server in a different part of the company. This time, they got lucky. They found a special account that was used by the system, not a person. This “non-human” account had the highest level of power—Global Administrator—in the cloud system. And most importantly, this powerful account did not have MFA turned on. This was the key they needed.

Taking Over the Cloud

Once they had control of this super-powerful account, they could move into the cloud. They first reset the account’s password. Then, they added their own MFA method to the account, so they could log in whenever they wanted. They used this account to get into the main control panel for the company’s Azure cloud.

From here, they gave themselves even more power. They made their stolen account a “User Access Administrator” and then an “Owner” of all the company’s cloud subscriptions. This meant they had complete control over everything the company stored in the cloud—all its data, applications, and backups.

To make sure they could not be kicked out, they created a permanent backdoor. They set up their own separate cloud system as a “trusted” partner to the victim’s system. This allowed them to create fake login tokens and pretend to be any user in the company, whenever they wanted, even if the original stolen account was discovered and disabled.

Stealing and Destroying Data

With total control, the attackers began their main mission. They searched through the company’s cloud storage to find the most valuable information. They used a tool called AzCopy to copy massive amounts of this data out of the company’s cloud and into their own storage.

After they finished stealing the data, they started deleting it from the victim’s Azure environment. They erased files, databases, and, most importantly, the backups that the company would need to recover. For any data they could not delete because of special protection settings, they used cloud tools to encrypt it with their own keys, making it useless to the company.

The Ransom Demand

With the company’s data stolen and the originals destroyed, the final step was to demand money. The attackers used a Microsoft Teams account that they had also compromised during the attack to contact the victim and begin the extortion process.

How to Protect Your Business from These Attacks

This story is a clear warning that cloud security is incredibly important. The good news is that there are steps you can take to protect your organization. Microsoft and other experts provide guidance based on how Storm-0501 operates.

Use Multi-Factor Authentication (MFA) Everywhere

The attackers were stopped many times by MFA. Their success came from finding one single, powerful account that did not have it. Make sure every account, especially powerful administrator accounts, has MFA enabled. There should be no exceptions.

Protect Your Sync Servers

The attack started on an Entra Connect Sync server. These servers are very sensitive. Use security features like Trusted Platform Module (TPM) to protect the credentials stored on them and use the latest versions of the software that support more secure authentication methods.

Have a Unified View of Security

The victim company had “visibility gaps” because of its complex and separate systems. It is vital to have security monitoring that covers your entire environment, both on-premises and in the cloud. This allows you to spot suspicious activity no matter where it happens.

Limit Powerful Accounts

The principle of “least privilege” is crucial. This means that accounts should only have the minimum level of power they need to do their job. A non-human, synchronized account should almost never have Global Administrator rights. Regularly review who has these powerful roles and remove them if they are not absolutely necessary.

Watch for Strange Activity

Be on the lookout for the specific actions the attackers took. This includes an account suddenly gaining “User Access Administrator” rights in Azure or the creation of a new “federated domain,” which could be a backdoor.

Rethink Your Backup Strategy

Storm-0501 directly targets cloud backups. While cloud backups are convenient, consider having backups that are “immutable” (cannot be changed or deleted for a set period) or are stored completely offline and disconnected from your main network. This gives you a last resort for recovery.

The evolution of Storm-0501’s tactics from on-premises malware to direct cloud attacks marks a significant shift in the ransomware landscape. It shows that criminals are adapting to new technologies and learning how to exploit them. Securing a cloud environment is not just about building a wall around it; it is about carefully managing identities, permissions, and configurations inside it. By understanding how these attacks work and taking proactive steps to strengthen your defenses, you can protect your valuable data from this growing threat.