An affiliate of major RaaS gangs launches its own operation
A former affiliate of several major ransomware-as-a-service (RaaS) gangs has formed his own ransomware organization.
Microsoft Threat Intelligence discovered a group it dubbed “Storm-0501” targeting hybrid cloud environments and making “lateral movement from the on-premises environment to the cloud environment.” It has been observed exfiltrating data, deploying ransomware, stealing credentials, and more.
The threat actor has been active since 2021, deploying ransomware payloads from other ransomware gangs including LockBit, ALPHV (BlackCat), Hive, Hunters International, and most recently Embargo.
“Embargo ransomware is a new strain developed in Rust, known for using advanced encryption methods. Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom,” Microsoft said.
“Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to release the stolen sensitive data unless a ransom is paid.”
The group targets government, law enforcement, transportation and manufacturing organizations, but has recently been seen targeting US hospitals.
The group largely works using stolen credentials to access networks, leading to persistent backdoor access and possible ransomware deployment once Storm-0501 reaches a domain controller.
According to Microsoft’s research, the group relies largely on common Windows-native tools such as systeminfo.exe, nltest.exe, tasklist.exe, net.exe and many others. It also uses tools such as AnyDesk and other open source programs for remote recognition and access.
Microsoft says that in some cases the ransomware was not distributed and the threat actors only maintained access to the network.
“Once the threat actor gained sufficient control over the network, successfully extracted sensitive files, and successfully moved laterally to the cloud environment, the threat actor then deployed the Embargo ransomware throughout the network. “organization,” Microsoft said.
Microsoft says it offers solutions to detect Storm-0501 activity in its Defender XDR, while its Entra Connect Sync can be used to detect login events and unauthorized activity.