Hybrid cloud environments being targeted by worrying new ransomware attacks

Cybercriminals are targeting hybrid cloud platforms with a worrying new ransomware strain, Microsoft security researchers have revealed.

Threat intelligence experts from the company have published a new blog post warning of Storm-0501, a ransomware affiliate group active since 2021.

The team has warned Storm-0501 is targeting different verticals across the United States, from government, manufacturing, to transportation, and law enforcement.

Rust-built ransomware

Microsoft’s researchers believe the group is financially motivated, meaning it is not a state-sponsored player, as it targets firms with the intent of extorting money, which is then likely used to fund additional cybercriminal activity.

When it attacks, Storm-0501 looks for poorly protected, over-privileged accounts. Once compromised, the accounts are used to grant access to on-prem devices, and from there, cloud environments. The next step is to establish persistence and allow unabated lateral movement throughout the infrastructure.

The final step is the introduction of ransomware. In the past, Storm-0501 used popular variants, such as Hive, BlackCat (ALPHV), Hunters International, and LockBit. However, in some of the more recent attacks, the group used a ransomware variant called Embargo.

Embargo is a relatively new strain, developed in Rust. Microsoft’s researchers state that it uses advanced encryption methods and operates under the RaaS model (meaning someone else is developing and maintaining the encryptor, and thus gets a share of the eventual spoils). While using Embargo, Storm-0501 goes for the old and proven double-extortion tactic, where they first steal a victim’s files, then encrypt the rest, and threaten to leak it online unless the victim pays a ransom.

In the cases Microsoft analyzed, Storm-0501 leveraged compromised Domain Admin accounts and deployed Embargo via scheduled tasks. The ransomware binaries names that were used were PostalScanImporter.exe and win.exe. The extensions of the encrypted files were .partial, .564ba1, and .embargo.

It is also worth mentioning that Storm-0501 sometimes refrains from deploying the encryptor and just maintains access to the network.