System shock: Storm-0501 ransomware shifts into the cloud

The good news? Overall, ransomware rates are down. In 2025, just over 60% of businesses reported ransomware attacks, the lowest number since 2020.

The not-so-good news? Attackers are changing tactics. As noted by a recent Microsoft Security analysis, threat actor Storm-0501 has now shifted ransomware off-premises, putting both hybrid and cloud environments at risk. Here's what you need to know.

How: Storm-0501 attack basics

Traditional ransomware deployments happen on-prem. Attackers compromise local networks and deploy malicious payloads. Once executed, these payloads encrypt key files, and hackers demand a ransom for the decryption key.

Until recently, Storm-0501 followed this payload playbook, but in 2024 the threat actor deployed a new malware strain capable of compromising cloud environments. The attack starts with a foothold. Cyberattackers compromise Active Directory environments and then move to Microsoft Entra ID. Next, they escalate privileges to gain administrator-level control.

This allows them to add federated domains that allow unfettered network access, and it also enables them to deploy on-premises ransomware. The result is a one-two punch. Using traditional ransomware, threat actors can encrypt on-site data and demand payment for its release. Leveraging complete cloud access, meanwhile, they can exfiltrate stored assets, delete backups and hold data for ransom.

What: Common conditions for compromise

The key to Storm-0501's success lies in its dual approach to compromise, which allows the threat actor to exploit the space between on-prem and cloud-based deployments.

Put simply, hybrid environments are more complex than their purely local counterparts. For companies to make the most of both cloud and local resources, they need digital bridges that connect disparate resources, services and applications. It's this digital gray area that creates potential problems.

Consider Microsoft's analysis of an attack using Storm-0501. The targeted enterprise operated multiple subsidiaries, each with its own set of distinct but interconnected Azure cloud tenants. Each of these tenants had a different security posture, and only one used Microsoft Defender for Endpoint. In addition, Microsoft research found that multiple Active Directory domains were synced to more than one tenant, making it more difficult for IT teams to manage and monitor these cloud instances.

The attack began with multiple compromises of on-prem systems. Threat actors then used commands such as "sc query sense" and "sc query windefend" to check if Defender for Endpoint was active. If so, they used a PowerShell over Windows Remote Management (WinRM) tool known as Evil-WinRM to move laterally. Once they identified systems without active defense, they deployed a DCSync attack to simulate a domain controller and request password hashes for all active users. This allowed near-complete access to cloud tenants and all data they stored, in turn enabling exfiltration and encryption.

With this process complete, the attackers used a Teams account belonging to one of the company's compromised identities to contact executives and demand a ransom.

Where: Areas for enhanced protection

According to Sherrod DeGrippo, Microsoft director of threat intelligence, Storm-0501 represents a significant risk. "This threat actor has rapid adaptation and sector-agnostic targeting," she says. "Storm-0501 has demonstrated the ability to quickly change tactics and target a wide range of sectors, meaning any organization using cloud services could be a target."

For enterprises, the shift to cloud compromise speaks to the need for enhanced protection in three key areas:

Detection

The sooner companies can detect potential compromise, the better prepared they are to eliminate issues and remediate impacts. In practice, this requires solutions such as endpoint detection and response (EDR) that go beyond standard antivirus frameworks to block threats based on customized behavioral rules or operational conditions. 

Access

No matter the type or target of ransomware, businesses always benefit from the principle of least privilege. The fewer people who have access to administrative functions, the better. 

This starts with solutions such as multifactor authentication (MFA). By ensuring users must provide something they have or something they are in addition to something they know, enterprises can reduce the risk of compromise. Next are conditional access policies. Instead of taking a one-and-done approach, conditional access policies evaluate multiple factors each time users attempt to log in. For example, if a user attempts to log in outside their normal access timeframe and from a new location, conditional access may request additional verification. 

And these benefits aren't just theoretical — according to the Microsoft analysis, the first attempt by attackers to sign in as privileged users on compromised hybrid tenants was unsuccessful due to MFA and conditional access, requiring them to shift domains and try again. 

Storage

Successful ransomware efforts depend on compromising storage through encryption, exfiltration or deletion. As a result, enhanced data storage processes can help frustrate attacker efforts. One example is immutable storage, both for cloud-stored data and for data backups. The concept behind immutable storage is simple: It cannot be changed. Companies set their preferred policies, such as write once, read many (WORM), and can rest easier knowing that data isn't changeable. This type of storage is especially useful for backups. Even if attackers manage to compromise and delete key assets, companies can retrieve and repopulate uncorrupted data once threats are confined and eliminated.

Riding out the storm

As on-site security improves, attackers are looking to hybrid clouds for new compromise paths. For many companies, the multi-domain, multi-tenant nature of their cloud environments makes them susceptible to these attacks, especially if security practices aren't consistent across subsidiary networks.

Successfully riding out the storm means taking a three-pronged approach to protection that prioritizes detection, limits access and provides a pathway for complete data restoration.