Microsoft warns of ransomware gang shifting to steal cloud data, lock companies out of systems

Ransomware gangs are adjusting their tactics to steal data stored in the cloud and lock companies out of their own systems.

Microsoft published a warning on Wednesday about a campaign it recently witnessed involving a threat actor that has been launching ransomware attacks since 2021. 

The threat actor has been able to rapidly exfiltrate large volumes of data while destroying backups and demanding ransoms, according to the tech company. “While the threat actor has been known for targeting hybrid cloud environments, their primary objective has shifted from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics,” the incident responders said. 

While ransomware gangs traditionally rely on deploying malware to encrypt files, the threat actor’s recent tactics show they no longer need to do that during attacks. 

The hacker, which Microsoft refers to as Storm-0501, initially used the Sabbath ransomware during attacks on U.S. school districts in 2021 and has continued to use a variety of ransomware strains since then while targeting the healthcare sector. It most recently used the Embargo ransomware during attacks in 2024. 

As the adoption of cloud systems has increased, the hacker has shifted its methods, targeting account information that offers global administrator privileges. 

In the recent campaign tracked by Microsoft, the hacker was able to gain access to an unnamed “large enterprise composed of multiple subsidiaries” that had varying levels of security sophistication. 

The hacker checked which subsidiaries and offices did not have Microsoft security tools enabled in an attempt to avoid being detected before moving laterally around the network. After multiple moves, they were able to find an account that did not have multi-factor authentication enabled, allowing them to reset the account’s password and register their own MFA method. 

Once full access to the company’s cloud network was obtained, they created a backdoor that enabled them to sign in as almost any user. They used a variety of tools to locate the organization’s critical assets before exfiltrating troves of sensitive data and destroying the information.

The hacker also took the time to remove backups and then demanded a ransom. 

“After completing the exfiltration phase, Storm-0501 initiated the mass-deletion of the Azure resources containing the victim organization data, preventing the victim from taking remediation and mitigation action by restoring the data,” Microsoft said. 

“During the threat actor’s attempts to mass-delete the data-stores/housing resources, they faced errors and failed to delete some of the resources due to the existing protections in the environment.”

For data that could not be deleted, the hacker tried to use cloud-based encryption to lock the company out of its own data. This effort failed because the company was able to recover the key to unlock the data after the threat actor deleted it. 

Microsoft said that after doing all of this, the hacker contacted the victim company through Microsoft Teams “using one of the previously compromised users, demanding ransom.”

Multiple security companies have warned that sophisticated hackers who used ransomware in the past have shifted to targeting data stored by companies in the cloud. Over the last year, there have been several high-profile campaigns involving data stolen from storage giants like Snowflake and Salesforce.

On Monday, Google said it spotted a campaign where hackers used a third party service to steal Salesforce data — with the main goal appearing to be the theft of login credentials that could “allow them to further compromise victim and client environments, as well as pivot to the victim's clients or partner environments.”