What happened?
On 27 August 2025, Microsoft Threat Intelligence reported an evolution in Storm-0501’s campaign. The financially motivated group has shifted from deploying traditional endpoint ransomware to conducting cloud-based ransomware operations in hybrid environments - meaning attacks now target both on-premises servers and cloud services like Microsoft 365 or Azure. Instead of just locking files on a single computer, Storm-0501’s approach lets them reach deeper into an organisation’s infrastructure, including shared cloud data and backups.
Instead of encrypting data, Storm-0501 was observed stealing sensitive cloud data, destroying on-premises and cloud backups, and extorting victims by threatening exposure or permanent loss. This represents both a technical shift, towards abusing cloud-native tools, and a strategic shift in terms of impact – victims now have two issues to deal with, inaccessible and publicly-exposed data.1
The group targets hybrid environments (a mix of on-premises systems and cloud services) opportunistically. Searching for devices not managed by IT (such as personal laptops connected to company networks, outdated servers, or test systems) and for gaps in security settings that leave them exposed.
In a recent campaign, Storm‑0501 compromised a large company by identifying a non-human account (accounts typically used by applications or automated processes) with Global Administrator privileges and no multi-factor authentication (MFA). They reset the on-premises password for the account, synced it to the cloud identity, and registered a new MFA method. This gave the attackers the same level of control as a cloud administrator — allowing them to create or delete accounts, access emails and files, change security settings, and remove backups.
Storm‑0501 escalated privileges further by assigning itself Owner roles across the Azure environment and stealing data. Backups were deleted, and extortion communications were sometimes delivered to employees through Microsoft Teams.
The group has been active since 2021, previously deploying ransomware including Sabbath, Embargo, Hive, BlackCat/ALPHV, Hunters International, and LockBit.
So what?
Storm‑0501 represents a shift in ransomware operations. Attacks no longer require malware deployment. Instead of relying on malicious software, attackers now gain control by breaking into accounts, compromising system access, and abusing identities (both user and service accounts).
Hybrid environments are high-value targets. Fragmented security coverage allows attackers to move between on-premises and cloud. Traditional recovery strategies are ineffective when attackers can delete backups and cloud resources.
Non-human identities with elevated privileges also pose a critical risk. Misconfigured MFA and incomplete endpoint coverage can be exploited systematically.
This method is likely to be replicated by other ransomware groups. Cloud-based ransomware is more difficult to detect and respond to than traditional endpoint-based attacks.2
Immediate actions for organisations
Organisations can reduce risk by addressing identities, infrastructure, and accounts:
- Identity and access management - use cloud-native global admin accounts; enforce phishing-resistant MFA; review federation and Entra connect configurations.
- Infrastructure protection - ensure full defender for endpoint coverage, enable tamper protection, and apply immutable storage policies to cloud resources.
- User and account safeguards - use unique passwords, enable account activity notifications, and review application permissions regularly.
It is also important to recognise that security tools such as Microsoft Defender require paid licensing, but alternatives exist that provide similar levels of protection. Likewise, controls like password policies, activity alerts, and application reviews must be balanced against usability and administrative workload.
Future threat landscape
The evolution of Storm‑0501 highlights the need for Zero Trust strategies - every access request should be treated as untrusted until validated.
Hybrid environments must be monitored continuously. Organisations must reassess which workloads are cloud-ready and which require additional hardening.
Cloud-native ransomware may be combined with AI-driven automation, supply chain compromise, or other advanced techniques. Future campaigns could become faster, more precise, and harder to detect.
Hybrid security, identity management, and Zero Trust adoption are essential to defend against this evolving threat landscape.