Storm-0501

Storm-0501 is a financially motivated ransomware operator tracked by Microsoft and associated in the provided content with the Embargo ransomware operation. The content states the actor has been active since 2021 and previously deployed Sabbath, Hive, BlackCat, Hunters International, and LockBit 3.0. Embargo is also described in the content as being tracked as Storm-0501 by Microsoft, with Storm-0501 identified as the primary tracked Embargo affiliate. The actor targets hybrid on-premises and Azure environments and has been reported operating in multi-tenant Azure environments. Microsoft reported that Storm-0501 used AzureHound to enumerate Microsoft Entra ID tenants. The actor leveraged compromised accounts to access Microsoft Entra Connect, used a victim Global Administrator account that lacked any registered MFA method to access cloud environments, and leveraged Storage Account Access Keys within victim environments. The content attributes to Storm-0501 a mix of ransomware, cloud abuse, credential abuse, discovery, and exfiltration activity. Reported discovery activity includes use of tasklist.exe to enumerate running processes and use of native Windows tools such as systeminfo, as well as open-source tools including OSQuery and ossec-win32, to query endpoint details. Additional reconnaissance and post-compromise tooling cited in the content includes ADRecon.ps1, nltest, net group, sc query, and AzureHound. Credential access techniques mentioned include Impacket SecretsDump, DCSync, KeePass credential theft, and brute-force attacks. For lateral movement, command and control, and persistence, the content cites Cobalt Strike, Evil-WinRM, AnyDesk, NinjaOne, and Level.io. For ransomware deployment and persistence at scale, Storm-0501 used a scheduled task named "SysUpdate" registered via Group Policy Object to distribute Embargo ransomware across devices in the network. The content also states Microsoft reported Storm-0501 abusing Azure encryption scopes to extort ransomware payments from victims. In that attack chain, the actor created a new Azure Key Vault, created a key, created an encryption scope, encrypted victim data, deleted the key or vault, and then demanded ransom. For exfiltration, the content states Storm-0501 exfiltrated stolen data to the MEGA file-sharing site, used Rclone to exfiltrate data to cloud storage such as MegaSync, and used the AzCopy command-line tool to exfiltrate data to actor-controlled infrastructure. The content also links Storm-0501 to Fox Tempest as a customer or affiliate that used malware signed through Fox Tempest's malware-signing-as-a-service platform, alongside actors such as Vanilla Tempest, Storm-2561, and Storm-0249.