Ransomware Gangs Exploit Microsoft Azure Tools for Data Theft

Ransomware groups, such as BianLian and Rhysida, have adopted a new technique to steal sensitive data by abusing Microsoft Azure’s tools, particularly Azure Storage Explorer and AzCopy.

These tools, designed to manage cloud storage and transfer data within Microsoft’s cloud ecosystem, are now being manipulated to extract large amounts of data from breached networks and store it in Azure Blob storage.

Azure Storage Explorer, a user-friendly graphical interface, and AzCopy, a command-line tool for transferring data, are being utilized by cybercriminals to secure stolen information. According to a recent report, attackers are increasingly storing the exfiltrated data in Azure’s cloud, later retrieving it for their own use.

However, getting Azure Storage Explorer operational requires extra effort from the attackers, including the installation of dependencies and updating .NET to version 8. This added complexity highlights how ransomware operations are evolving, with a sharper focus on data theft, which plays a crucial role in the extortion phase of these attacks.

While each ransomware group employs different tools for exfiltration, it’s common to see gangs using software like Rclone and MEGAsync for syncing data with various cloud providers. Microsoft Azure, being a trusted enterprise-grade platform, often bypasses corporate firewalls and security systems.

As a result, attackers can transfer large amounts of data undetected, leveraging Azure’s high scalability and performance to swiftly extract files from compromised networks.

Reports indicate that ransomware operators use multiple instances of Azure Storage Explorer simultaneously to speed up the data transfer process. Additionally, when using Storage Explorer and AzCopy, attackers enable default ‘Info’ level logging, which generates log files. These logs, stored in %USERPROFILE%\.azcopy, can be valuable to incident responders as they contain details of the stolen data and any additional malicious payloads introduced.

To defend against such attacks, organizations are advised to monitor the execution of AzCopy, track outbound network traffic to Azure Blob Storage endpoints, and set up alerts for unusual file transfer patterns on critical servers. For companies already utilizing Azure, it’s recommended to enable the ‘Logout on Exit’ feature to automatically sign out users after application use, preventing attackers from hijacking an active session.