Share this article on:
A former affiliate of several major ransomware-as-a-service (RaaS) gangs has formed its own ransomware organisation.
Microsoft Threat Intelligence has discovered a group it has dubbed “Storm-0501” targeting hybrid cloud environments and performing “lateral movement from on-premises to cloud environment”. It was observed exfiltrating data, deploying ransomware, stealing credentials and more.
The threat actor has been active since 2021, deploying ransomware payloads from other ransomware gangs, including LockBit, ALPHV (BlackCat), Hive, Hunters International and, most recently, Embargo.
“Embargo ransomware is a new strain developed in Rust, known to use advanced encryption methods. Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom,” Microsoft said.
“Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to leak stolen sensitive data unless a ransom is paid.”
The group has been targeting government, law enforcement, transportation and manufacturing organisations, but has most recently been seen targeting US hospitals.
The group largely works by using stolen credentials to gain access to networks, resulting in persistent backdoor access and eventual ransomware deployment once Storm-0501 reaches a domain controller.
According to Microsoft’s research, the group largely relies on common tools native to Windows such as systeminfo.exe, nltest.exe, tasklist.exe, net.exe and more. It also uses tools such as AnyDesk and other open-source programs for reconnaissance and remote access.
Microsoft says that in some cases, ransomware was not distributed and instead, the threat actors only maintained network access.
“Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organisation,” said Microsoft.
Microsoft says that it offers solutions for detecting Storm-0501 activity within its Defender XDR, while its Entra Connect Sync can be used to detect logon events and unauthorised activity.