Luca Galuppi : 28 August 2025 10:52
Microsoft is raising the alarm: the Storm-0501 cybercriminal group has evolved. No more “traditional” attacks on on-premise machines, no more ransomware that encrypts local files. Now the threat is moving directly above us, into the cloud, where many companies thought they were safe.
This is a momentous transition: malicious executables that infect servers and PCs are no longer needed. Storm-0501 now leverages the same native cloud capabilities to do its dirty work. We’re talking about:
- Massive data exfiltration directly from Azure.
- Destruction of backups and snapshots to prevent any recovery attempts.
- Cloud-based encryption through the creation of new Key Vaults and managed keys, making data inaccessible to victims.
The result? Fierce pressure, not through the usual “paid decryptor,” but through direct blackmail: either you pay, or your data in the cloud disappears or remains encrypted forever.
The Evolution of Cybercrime
Storm-0501 is not a new name. Active since at least 2021, it has been used by several RaaS (Ransomware-as-a-Service) ecosystems: Hive, BlackCat (ALPHV), Hunters International, LockBit, up until the recent Embargo. But now the metamorphosis is complete: no longer traditional ransomware, but 100% cloud-native digital extortion.
Microsoft analysts have observed disturbing techniques:
- Compromised Directory Synchronization Accounts to move laterally in Azure environments.
- Discovery of Global Administrator accounts without MFA, reset to gain full control.
- Persistence achieved with malicious federated domains, capable of impersonating users and bypassing multi-factor authentication.
- Abuse of the Microsoft.Authorization/elevateAccess/action API to become Owner and take over the entire cloud infrastructure.
Once in control, criminals have free rein: they can disable defenses, empty storage, delete Recovery Services Vaults, or, when that’s not possible, encrypt everything with new keys they manage.
Extortion 2.0: The threat arrives via Teams
As if that weren’t enough, Storm-0501 has found a new channel to communicate with victims: Microsoft Teams. Using compromised accounts, the criminals deliver their ransom demands directly to the chat, making the attack even more destabilizing.
Imagine: the internal collaboration platform, where employees exchange files and work messages, suddenly becomes a blackmail megaphone. A blow to the heart of corporate trust.
Conclusion
Ransomware isn’t dead. It’s simply gone up a level.
Storm-0501 shows us clearly: malware is no longer needed to bring a company to its knees; the cloud itself, turned into a weapon against us, is enough.
Backups? Deleted.
Data? Encrypted with keys we don’t possess.
Internal communication? Used to deliver threats and blackmail.
We are facing an evolutionary leap that leaves no room for improvisation: those who don’t raise their cloud defenses now risk waking up tomorrow with their infrastructure and corporate data held hostage by a click.
Companies that believe they are safe just because they’ve moved their data to Azure or other cloud providers are mistaken: security can’t be delegated, it’s built day by day.
Luca GaluppiA lifelong technology enthusiast. I have been working in the IT field for over 15 years. I have particular experience in Firewall and Networking and deal with Network Design and IT Architectures on a daily basis. I currently serve as Senior IT Engineer and PM for an IT Consulting and Services company.
Lista degli articoli
Visita il sito web dell’autore
