Microsoft is warning organizations about a major shift in tactics from the ransomware group known as Storm-0501. Formerly known for using traditional ransomware payloads like Sabbath, Embargo, and those from RaaS platforms like Hive, BlackCat, and LockBit, Storm-0501 is now pivoting toward cloud-exclusive attacks. Instead of encrypting on-premises systems, the group is weaponizing cloud infrastructure itself to steal data, destroy recovery options, and demand ransom—without relying on malware.
According to Microsoft, Storm-0501 now abuses native cloud capabilities to carry out its attacks, eliminating the need for file encryption tools traditionally used in ransomware campaigns. In recent intrusions, they compromised hybrid cloud environments by exploiting security gaps in Microsoft Defender deployments and by targeting weak authentication on privileged Azure accounts. One key tactic involved using stolen Directory Synchronization Accounts (DSAs) to map out environments and elevate privileges via Microsoft’s own APIs, including the elevateAccess function.
Once the attackers gained Global Administrator privileges, they established persistence using malicious federated domains—effectively bypassing MFA and enabling identity impersonation. From there, Storm-0501 moved to destroy storage snapshots and backups, and in some cases, used newly created Key Vaults and customer-managed keys to re-encrypt cloud data, locking victims out of their own environments.
Victims are then extorted directly via Microsoft Teams, using compromised accounts to send ransom demands. Microsoft notes that this new model of cloud-native ransomware is harder to detect and prevent, as it avoids dropping malware and instead abuses legitimate administrative tools and configurations within the cloud ecosystem.
his evolution signals a critical warning for healthcare organizations: securing on-premises infrastructure is no longer sufficient. The pivot to cloud-native attacks demands that healthcare IT teams rigorously audit identity configurations, enforce multi-factor authentication (especially on privileged accounts), and implement robust cloud backup protections with restricted access. Given the sector’s high-value data and reliance on uptime, losing access to cloud-hosted patient records or billing systems can be catastrophic. Defense-in-depth strategies must now extend fully into the cloud, with continuous monitoring and least-privilege access as non-negotiables.
