Embargo Ransomware Attacking Cloud Environments

Date:

September 30, 2024

World map

Microsoft has issued a warning about the ransomware group Storm-0501, which has shifted its tactics to target hybrid cloud environments, expanding its focus to compromise both on-premises and cloud assets, Bleeping Computer reports.

Originally emerging in 2021 as an affiliate of the Sabbath ransomware group, Storm-0501 has since deployed ransomware from several high-profile gangs, including Hive, BlackCat, and LockBit. Recently, it has been observed using the Embargo ransomware.

The group has targeted various sectors such as healthcare, government, manufacturing, and law enforcement agencies in the United States. Storm-0501 gains access to cloud environments by exploiting weak credentials and privileged accounts, allowing them to steal data and deploy ransomware payloads.  

Initial access is often obtained through stolen or purchased credentials or by exploiting vulnerabilities like CVE-2022-47966 (Zoho ManageEngine) and CVE-2023-4966 (Citrix NetScaler).

Storm-0501 moves laterally within networks using tools like Impacket and Cobalt Strike and uses custom binaries for data exfiltration. They disable security defenses with PowerShell commands and exploit stolen Microsoft Entra ID (formerly Azure AD) credentials to move from on-premises to cloud environments.  

By leveraging these credentials, the attackers compromise synchronization accounts and hijack sessions to establish persistence. Once inside the cloud infrastructure, Storm-0501 creates a new federated domain, enabling them to authenticate as any user.  

They deploy the Embargo ransomware across the organization’s assets using compromised accounts and techniques such as scheduled tasks or Group Policy Objects (GPOs) to encrypt files and maintain backdoor access for future operations.

Takeaway: Most large enterprises operate in hybrid environments that span both on-premises data centers and cloud infrastructures. These mixed environments enable organizations to leverage the strengths of each platform, such as the control of local data centers and the scalability and flexibility of cloud services.  

Conversely, smaller businesses typically rely heavily on cloud solutions due to their cost-effectiveness and ease of management compared to the high overhead required to build and maintain private data centers.

Ransomware operators are acutely aware of the cloud’s critical role in modern business operations and have adapted their tactics accordingly. They are now targeting hybrid environments with sophisticated strategies designed to infiltrate both on-premises and cloud systems.  

By compromising cloud-based backups and services, these attackers can broaden the scope of their attacks, cause more widespread disruption, and ultimately demand higher ransoms.

Once a threat actor has established a foothold, whether through phishing, credential theft, or exploiting unpatched vulnerabilities, the physical location of servers becomes irrelevant.  

With elevated privileges, attackers can navigate an organization’s interconnected network, execute lateral movement, and compromise both cloud and on-premises assets. This is why perimeter-based defenses alone are no longer sufficient; a zero-trust architecture and robust identity and access management controls are essential.

Ransomware groups have also started utilizing programming languages like Rust, which enable the development of cross-platform payloads capable of executing on both Windows and Linux systems. This evolution significantly increases their reach, making cloud environments – which often rely on Linux-based infrastructure – more vulnerable to attack.

An increasing number of organizations depend on the cloud not only for operational purposes but also for critical data backups. This approach is often underpinned by the belief that cloud backups offer a secure path to recovery in the event of a ransomware attack or other significant compromise of primary systems.  

However, this assumption is being aggressively challenged by cybercriminals. Relying solely on cloud backups for data recovery is a flawed strategy. While cloud backups are a critical component of a disaster recovery plan, they should not be viewed as a silver bullet.  

Even when intact backups are available, restoring systems to their pre-attack state can be a complex, resource-intensive process. This often requires manually wiping infected devices and re-imaging them, which can take weeks or even months to complete and result in considerable operational costs and downtime.

Cloud environments, like their on-premises counterparts, require a comprehensive security strategy that includes segmentation, robust access controls, and continuous monitoring and response capabilities.  

Organizations should approach cloud security with the same rigor as they do for on-premises environments, understanding that a breach in one part of the network could have cascading effects across their entire hybrid infrastructure. While cloud adoption offers many advantages, it does not inherently provide superior security.  

The key is to treat cloud environments with the same security scrutiny and defense-in-depth strategies as traditional data centers. This mindset is critical to ensuring the resiliency and integrity of business operations in the face of evolving cyber threats.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.