Cybersecurity professionals witness a significant shift in ransomware tactics as the threat actor Storm-0501 transitions from legacy on-premises attacks to sophisticated cloud-native operations. As detailed in a recent report published on August 27, 2025, the group now bypasses traditional malware deployment, opting instead for rapid data exfiltration, backup destruction, and ransom demands within cloud environments.
From Hybrid to Fully Cloud-Native Attacks
Storm-0501, active since at least 2021, initially gained notoriety deploying Sabbath ransomware in assaults on U.S. school districts. Over time, it diversified its ransomware payloads—including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo. In 2024, the group escalated hybrid-cloud operations, leveraging on-premise compromises to pivot into cloud environments.
The August 2025 campaign underscores a fundamental strategic evolution. Rather than infecting endpoints, attackers exfiltrate large volumes of data, destroy backups, and initiate ransomware extortion all within the cloud, effectively neutralizing conventional endpoint-centric defenses.
From On-Prem to Cloud Supremacy Attack Chain
Before covering the attack chain in more details, a brief summary on the conditions that allowed such attacks to take place needs to be highlighted. During the discovery phase, where the threat actor leveraged on-premises control to pivot across Active Directory domains and vastly enumerate across cloud resources, they gained critical visibility of the organization’s security posture.
Threat then identified a non-human synced identity that was assigned with the Global Administrator role in Microsoft Entra ID on that tenant. Additionally, this account lacked any registered MFA method. This enabled the threat actor to reset the user’s on-premises password, which shortly after was then legitimately synced to the cloud identity of that user using the Entra Connect Sync service.
It was then identified that that password change was conducted by the Entra Connect’s Directory Synchronization Account (DSA), since the Entra Connect Sync service was configured on the most common mode Password-Hash Synchronization (PHS). Consequently, the threat actor was able to authenticate against Entra ID as that user using the new password.
Looking at the attack chain in greater detail, this sophisticated assault begins with initial compromise. Storm-0501 accesses environments via stolen credentials provided by access brokers or by exploiting known RCE vulnerabilities in unpatched gateways like Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion.
Once inside, they conduct reconnaissance using native Windows tools and open-source scripts. They harvest credentials via Impacket, KeePass extraction tools, brute force methods, and deploy RMM tools such as AnyDesk or NinjaOne. Cobalt Strike beacons facilitate lateral movement, culminating in a Domain Admin compromise.
Storm-0501 then pivots to cloud. Using compromised Entra Connect Sync accounts or hybrid-connected domain admins, they move into Microsoft Entra ID (formerly Azure AD) environments. They locate Global Administrator accounts, sometimes non-human, with no MFA, reset their credentials via password-hash sync, and register rogue MFA methods to meet Conditional Access policies.
Threat actors further strengthen their hold by establishing backdoors using maliciously added federated domains. By injecting threat-actor-controlled Entra ID tenants and root certificates, they enable SAML token impersonation across accounts.
With full Azure tenant control, they elevate roles to Owner, map resource configurations, and selectively expose storage accounts via public access settings for exfiltration purposes. Finally, they exfiltrate data, mass-delete Azure assets and backups, and launch extortion, often reaching out to victims over Microsoft Teams via compromised identities.
This Shift to Cloud Native Ransomware Matters
This pivot to cloud-native ransomware amplifies both impact and intent. As Sherrod DeGrippo, Microsoft’s Director of Threat Intelligence Strategy, frames it: instead of encrypting files, Storm-0501 exfiltrates, destroys backups, and threatens irreversible data loss. For any enterprise, the mere threat of such activity should cause sleepless night, more so if vulnerabilities in identity management and the active directory are known.
To reiterate what has been said above, this change undermines traditional recovery strategies, organizations cannot simply restore from backups if those backups are also destroyed. The broad infiltration across active directory trust boundaries and fragmented cloud environments gives Storm-0501 a lethal advantage.
Strategic Recommendations for Defense
Cybersecurity professionals must adapt to this evolving threat. Key recommendations include:
- Full deployment of Endpoint Detection and Response (EDR): Poorly onboarded or unmonitored systems in hybrid environments create blind spots that attackers exploit.
- Enforce strict identity hygiene: Require MFA on all Global Admins, especially non-human accounts; register hardware-backed methods where possible.
- Lock down Privileged Identity configurations: Implement least-privilege access models and enforce Conditional Access policies strictly, including trusted device requirements.
- Harden infrastructure: Enable TPM on Entra Connect Sync servers to protect stored credentials, and closely monitor those accounts.
- Audit and control federation: Vet any addition of federated domains and monitor for anomalous SAML trust modifications.
- Secure Azure resources and backup integrity: Apply immutable storage policies, resource-level locks, and encryption; segment and restrict public access to storage resources. This applies to other cloud services as well.
- Enhance detection capabilities across hybrid infrastructure: Use tools considered to have high visibility across hybrid infrastructures, and cloud-aware SIEM, to surface suspicious behavior in identity and resource configurations.
- Exercise ransomware response playbooks: Include cloud scenarios in tabletop simulations, especially those involving credential compromise, resource deletion, and identity misuse.
Conclusion
Storm-0501’s emergence as a cloud-centric ransomware threat underscores an uncomfortable truth: attackers evolve as defenders lag. Cloud environments, once seen as safer than traditional infrastructure, now present new critical vulnerabilities when integrated with legacy on-prem systems.
For cybersecurity professionals, this means evolving with the attack surface. It means securing identities, enforcing least privilege policies, hybrid logging, rapid detection, and robust response plans that span on-prem and cloud. Only by bridging visibility and control across hybrid environments can defenders hope to blunt the growing threat from groups like Storm-0501.
