A new report out today from Microsoft Threat Intelligence details how the financially motivated threat group Storm-0501 is shifting its focus toward cloud-based ransomware campaigns, moving beyond the on-premises tactics it previously relied on.

The Storm-0501 threat group first emerged in 2021 with the deployment of Sabbath ransomware against U.S. school districts and has since shifted its focus across multiple sectors, including healthcare in 2023. In 2025, the group now specializes in cloud-based ransomware operations.

Storm-0501 differs from traditional ransomware operators that deploy malware to encrypt files on compromised endpoints and then demand payment for decryption keys.

Instead of pushing malware, Storm-0501 leverages built-in cloud capabilities to exfiltrate large volumes of data, delete backups and destroy resources in the victim’s Azure environment before issuing ransom demands. The result isn’t positive, as the methodology used is faster and potentially more damaging while also bypassing many endpoint-centric defenses.

According to the report, Storm-0501 initially gained traction by compromising Active Directory environments and moving laterally into Microsoft Entra ID tenants. In more recently observed cases, the threat actor abused Entra Connect synchronization accounts to enumerate users and resources, eventually taking over global administrator accounts that lacked multifactor authentication.

Once inside a targeted system, Storm-0501 registers malicious federated domains to create persistent backdoors, allowing it to impersonate users across the cloud tenant. The hackers then expand control across Azure subscriptions by using elevated privileges before mapping sensitive data stores and exploiting storage account features to expose and exfiltrate information.

That’s followed by the deletion of snapshots, restore points, storage accounts and backup containers, as the group attempts to strip away protective controls such as immutability policies and resource locks. In cases where Storm-0501 cannot delete files, the group instead turns to cloud-based encryption and creates its own key vaults and encryption scopes before deleting the keys to render data inaccessible.

With a real risk from Storm-0501, the report emphasizes the need to strengthen defenses across identity and cloud layers.

Ways to combat the risk include enforcing phishing-resistant multifactor authentication, limiting privileges on synchronization accounts, applying conditional-access policies and, not surprisingly, deploying Microsoft Defender for Endpoint and Defender for Cloud for comprehensive visibility. The report also recommends enabling immutable storage, purge protection in key vaults, and backup solutions to safeguard against destructive actions.

Image: SiliconANGLE/Ideogram