Hybrid cloud environments being targeted by worrying new ransomware attacks

Microsoft researchers catch the Embargo ransomware in the wild

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybercriminals are targeting hybrid cloud platforms with a worrying newransomwarestrain,Microsoftsecurity researchers have revealed.

Threat intelligence experts from the company have published a newblog postwarning of Storm-0501, a ransomware affiliate group active since 2021.

The team has warned Storm-0501 is targeting different verticals across the United States, from government, manufacturing, to transportation, and law enforcement.

Rust-built ransomware

Microsoft’s researchers believe the group is financially motivated, meaning it is not a state-sponsored player, as it targets firms with the intent of extorting money, which is then likely used to fund additional cybercriminal activity.

When it attacks, Storm-0501 looks for poorly protected, over-privileged accounts. Once compromised, the accounts are used to grant access to on-prem devices, and from there, cloud environments. The next step is to establish persistence and allow unabated lateral movement throughout the infrastructure.

The final step is the introduction of ransomware. In the past, Storm-0501 used popular variants, such as Hive, BlackCat (ALPHV), Hunters International, and LockBit. However, in some of the more recent attacks, the group used a ransomware variant called Embargo.

Embargo is a relatively new strain, developed in Rust. Microsoft’s researchers state that it uses advanced encryption methods and operates under the RaaS model (meaning someone else is developing and maintaining the encryptor, and thus gets a share of the eventual spoils). While using Embargo, Storm-0501 goes for the old and proven double-extortion tactic, where they first steal a victim’s files, then encrypt the rest, and threaten to leak it online unless the victim pays a ransom.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In the cases Microsoft analyzed, Storm-0501 leveraged compromised Domain Admin accounts and deployed Embargo via scheduled tasks. The ransomware binaries names that were used were PostalScanImporter.exe and win.exe. The extensions of the encrypted files were .partial, .564ba1, and .embargo.

It is also worth mentioning that Storm-0501 sometimes refrains from deploying the encryptor and just maintains access to the network.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case