Storm-0501, a known cybercriminal group, has been actively targeting key sectors in the U.S., including government, manufacturing, transportation, and law enforcement, in a series of ransomware attacks
This campaign, identified by researchers, aims to exploit hybrid cloud environments, moving from on-premises infrastructure to cloud platforms, leading to data theft, credential harvesting, system tampering, and ultimately, ransomware deployment.
Active since 2021, Storm-0501 initially focused on educational institutions using Sabbath ransomware before evolving into a Ransomware-as-a-Service (RaaS) operation, delivering various ransomware strains such as Hive, BlackCat (ALPHV), and LockBit over the years. One of the group’s tactics is exploiting weak credentials and over-privileged accounts to move laterally across networks, from on-premises systems to cloud infrastructure.
Additionally, they use access brokers like Storm-0249 or exploit unpatched vulnerabilities in widely-used systems such as Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion, to infiltrate their targets. Once inside, they perform extensive reconnaissance, deploying remote management tools like AnyDesk to maintain persistent access.
Storm-0501’s attacks leverage admin privileges to gain control over compromised devices and employ tools like Impacket’s SecretsDump module to extract credentials, enabling further lateral movement across networks. These credentials are also used for brute-force attacks and accessing sensitive files, including KeePass secrets.
The group has been observed using tools like Cobalt Strike for lateral movement and Rclone to transfer exfiltrated data to public cloud storage like MegaSync. In many cases, they create persistent backdoors into cloud environments and deploy ransomware, making them a significant threat to hybrid cloud setups.
Storm-0501’s attacks typically culminate in the deployment of Embargo ransomware, a Rust-based malware first detected in May 2024. Operating under the RaaS model, Storm-0501 and other affiliates use platforms like Embargo to conduct ransomware attacks, often employing double extortion methods—encrypting victims’ files and threatening to leak sensitive data unless ransoms are paid. However, in some instances, they maintain persistent network access without deploying ransomware.
Other ransomware groups, such as DragonForce, have also been active, targeting similar industries. Using tools like SystemBC, Mimikatz, and Cobalt Strike, they launch attacks across sectors, with the U.S. being the hardest hit. Recent attacks have been characterized by the use of leaked ransomware builders like LockBit3.0, with affiliates earning up to 80% of the ransom.
To reduce the risk of falling victim to groups like Storm-0501, organizations should strengthen their cybersecurity posture by enforcing multi-factor authentication (MFA) across all user accounts, regularly updating and patching software to close known vulnerabilities, and minimizing the use of over-privileged accounts.
Additionally, continuous network monitoring for unusual behavior and robust credential management practices can help prevent lateral movement within hybrid cloud environments.
