Cybercriminals are targeting hybrid cloud platforms with a worrying new strain of ransomware, Microsoft security researchers have revealed.
The company’s threat intelligence experts have published a new publication blog post warning for Storm-0501, a ransomware affiliate group active since 2021.
The team has warned that Storm-0501 is targeting several industries in the United States, from government, manufacturing to transportation and law enforcement.
Rust built ransomware
Microsoft researchers believe that the group is financially motivated, meaning it is not a state-sponsored player, as it targets companies with the intention of extorting money, which is then likely used to conduct additional cybercriminal activities finance.
When it attacks, Storm-0501 looks for poorly secured, over-privileged accounts. Once compromised, the accounts are used to grant access to on-premises devices and from there to cloud environments. The next step is to achieve persistence and enable unabated lateral movement throughout the infrastructure.
The final step is the introduction of ransomware. In the past, Storm-0501 used popular variants such as Hive, BlackCat (ALPHV), Hunters International and LockBit. However, in some of the more recent attacks, the group used a ransomware variant called Embargo.
Embargo is a relatively new strain, developed in Rust. Microsoft researchers say it uses advanced encryption methods and operates under the RaaS model (which means someone else develops and maintains the encryptor, thus getting a share of the final loot). While using Embargo, Storm-0501 opts for the old and proven tactic of double extortion, where they first steal a victim’s files, then encrypt the rest and threaten to leak them online unless the victim pays a ransom.
In the cases analyzed by Microsoft, Storm-0501 leveraged compromised domain administrator accounts and deployed Embargo through scheduled tasks. The names of the ransomware binaries used were PostalScanImporter.exe and win.exe. The extensions of the encrypted files were .partial, .564ba1 and .embargo.
It is also worth noting that Storm-0501 sometimes refrains from deploying the encryptor and only retains access to the network.