>samit_hota
Back to adversary profiles
G1053HighActive

Storm-0501: An Evolving Hybrid Cloud Ransomware Threat

Samit Hota·
Suspected Origin
Unknown
Motivation
Financial Gain
Aliases
None documented
Target Sectors
Government, Manufacturing, Transportation, Law Enforcement, Healthcare, Education, Unspecified
Associated Malware
Sabbath, Hive, BlackCat, Hunters International, LockBit 3.0, Embargo, INC, Lynx, IcedID, Cobalt Strike
#threat-actor#g1053

Overview

Storm-0501, also identified by aliases such as Hunters International and Sabbath (or 54bb47h), is a highly adaptive and financially motivated cybercriminal group that has been actively operating since at least 2021. Initially, the group gained notoriety for deploying the Sabbath ransomware, particularly targeting U.S. school districts. Over time, Storm-0501 has significantly evolved its operational model, pivoting to a Ransomware-as-a-Service (RaaS) affiliate model to scale its operations and leverage various ransomware strains developed by other threat actors. This evolution has seen them adopt and operate multiple ransomware variants, including Hive, BlackCat (ALPHV), LockBit 3.0, and most recently, Embargo, INC, and Lynx.

A key characteristic of Storm-0501’s progression is its increasingly sophisticated focus on hybrid cloud environments. What began as on-premises ransomware deployment has matured into complex, multi-staged attacks that seamlessly traverse on-premises infrastructure and cloud services like Microsoft Azure and Microsoft 365. Their primary motivation remains financial gain through ransomware and data extortion, often employing double-extortion tactics. While a definitive origin is elusive, threat intelligence has noted similarities in tooling and infrastructure with other groups potentially originating from countries like China, Russia, and Vietnam. The group’s opportunistic targeting extends across a wide range of critical sectors, including government, manufacturing, transportation, law enforcement, healthcare, and education, predominantly within the United States.

Tactics & Techniques

Storm-0501 distinguishes itself through a blend of commodity tools, open-source utilities, and sophisticated attack methodologies, reflecting a deep understanding of modern enterprise architectures, particularly hybrid cloud deployments.

Initial access is frequently achieved through the exploitation of known vulnerabilities in publicly accessible applications such as Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and Adobe ColdFusion (CVE-2023-29300 or CVE-2023-38203). The group also relies on stolen credentials and the services of initial access brokers like Storm-0249 and Storm-0900 to gain a foothold.

Once inside a network, Storm-0501 prioritizes credential harvesting and lateral movement. They employ tools such as IcedID for credential theft and Cobalt Strike for robust command and control (C2) operations. They utilize post-exploitation tools like Impacket’s SecretsDump and Evil-WinRM to extract credentials (including via DCSync attacks) and facilitate movement across the network. Living off the land is a common tactic, leveraging legitimate system utilities like PowerShell scripts, Windows Task Scheduler, systeminfo.exe, net.exe, nltest.exe, and tasklist.exe to execute commands and maintain a low profile. To ensure persistent access, they deploy legitimate remote monitoring and management (RMM) tools such as AnyDesk, NinjaOne, and Level.io.

A critical aspect of their campaigns involves exploiting administrative privileges, often by compromising Domain Admin accounts or targeting non-human accounts with Global Administrator privileges and no multi-factor authentication (MFA). They reset passwords and register their own MFA methods to establish control. Pivoting from on-premises Active Directory to cloud environments, especially Microsoft Entra ID (formerly Azure AD), is a hallmark technique. They compromise Microsoft Entra Connect Sync accounts, which possess significant privileges, to move laterally and escalate privileges to Global Administrator roles in the cloud. Persistence in the cloud is established by creating backdoors through maliciously added federated domains in Entra ID, allowing them to sign in as virtually any user.

For defense evasion, Storm-0501 is known to detect endpoint security solutions and can tamper with them using Group Policy Objects (GPOs). They also pack their Cobalt Strike payloads with Themida to complicate analysis.

Data exfiltration is a critical phase, using tools like Rclone to transfer data to cloud storage services such as MegaSync, and AzCopy CLI to exfiltrate data to their own infrastructure.

Notable Campaigns

Storm-0501’s operational history showcases a continuous refinement of its attack strategies. The group emerged in 2021, initially targeting U.S. school districts with the Sabbath ransomware. This marked their entry into the cybercrime landscape as a financially motivated entity.

A significant shift occurred around 2023 when, following the takedown of the Hive RaaS network, Storm-0501 quickly adapted by adopting the BlackCat (ALPHV) ransomware variant. Later that same year, they introduced their own ransomware strain under the Hunters International brand, demonstrating a growing capability to develop and manage their own payloads.

In November 2023, the group broadened its target scope to include the healthcare sector, indicating an opportunistic approach to victim selection. The year 2024 saw them actively deploying Embargo ransomware in various attacks. Mid-2024 also brought the introduction of their Lynx ransomware strain, further illustrating their ongoing development and adaptation of their malware arsenal.

However, the most notable evolution in their campaigns, particularly prominent in 2024-2025, has been the aggressive pivot towards “cloud-native ransomware” tactics. This involves leveraging cloud capabilities to rapidly exfiltrate data, destroy cloud and on-premises backups, and then demand ransom, often bypassing the traditional deployment of encryption malware. This strategic shift highlights their adaptability and foresight in exploiting the growing reliance on hybrid cloud environments. Victims have reported ransom demands being communicated directly via platforms like Microsoft Teams, adding an extra layer of pressure.

Associated Malware & Tools

Storm-0501 leverages a diverse array of malware and tools, combining off-the-shelf commodities with custom scripts to execute their sophisticated attacks. Their ransomware portfolio has evolved significantly:

  • Sabbath (54bb47h): Their initial ransomware strain, used extensively in early campaigns.
  • Ransomware-as-a-Service (RaaS) variants: They have been affiliated with and deployed popular RaaS offerings including Hive, BlackCat (ALPHV), Hunters International, LockBit 3.0, and Embargo (tracked as S1247).
  • INC and Lynx: Newer ransomware strains, with Lynx being introduced in mid-2024.

Beyond ransomware payloads, the group utilizes a variety of tools for different stages of their attack chain:

  • Initial Access & Credential Theft: IcedID for malware-based credential harvesting. They also exploit known vulnerabilities in applications like Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion.
  • Post-Exploitation & Lateral Movement: Cobalt Strike is a staple for command and control, facilitating remote code execution. Impacket’s toolkit, including SecretsDump, wmiexec, smbexec, and atexec, is critical for credential dumping and lateral movement. PsExec is also used for remote execution.
  • Remote Access & Persistence: Legitimate remote monitoring and management (RMM) tools such as AnyDesk, NinjaOne, and Level.io are often deployed for persistent access. Evil-WinRM is utilized for remote code execution over Windows Remote Management.
  • Reconnaissance & Discovery: Obfuscated PowerShell scripts like ADRecon.ps1 (obfs.ps1 or recon.ps1) are used for Active Directory reconnaissance. Azurehound is employed for enumerating cloud environments. Native Windows tools like systeminfo.exe, net.exe, nltest.exe, and tasklist.exe are also leveraged.
  • Cloud-Specific Tools: AADInternals is a key tool for manipulating Microsoft Entra ID, including federated domain abuse for persistence and privilege escalation. For data exfiltration, they use Rclone to cloud storage like MegaSync, and AzCopy CLI to their own infrastructure. They also abuse Azure Key Vault operations for encryption key storage.
  • Defense Evasion: Themida is used as a packer for Cobalt Strike payloads.

Current Status

Storm-0501 (G1053) remains an active and highly dangerous threat actor, continuously adapting its tactics, techniques, and procedures (TTPs) to maximize impact and financial gain. Recent intelligence, particularly from 2024-2025, highlights a significant shift in their operations from traditional endpoint-based ransomware to cloud-native attacks targeting hybrid cloud environments.

Instead of solely relying on malware to encrypt on-premises files, the group is increasingly leveraging legitimate cloud capabilities to exfiltrate vast amounts of data, destroy cloud and on-premises backups, and demand ransom. This approach aims to cause widespread disruption and prevent effective data recovery by victims, making traditional incident response and recovery strategies less effective. They are proficient at moving between on-premises Active Directory and Microsoft Entra ID environments, exploiting synchronization accounts and escalating privileges to Global Administrator roles within the cloud.

Storm-0501’s targeting remains opportunistic, spanning various critical sectors including government, manufacturing, transportation, law enforcement, healthcare, and education in the United States. Their ongoing evolution, exemplified by the introduction of new ransomware strains like Lynx and their focus on cloud exploitation, demonstrates their persistence and a clear intent to remain at the forefront of the ransomware threat landscape. Organizations with hybrid cloud infrastructures, particularly those with inconsistent identity governance and unmanaged devices, are at significant risk from Storm-0501’s current campaigns. Robust cloud audit log monitoring and strengthened identity and access controls are now more critical than ever to detect and mitigate their advanced TTPs.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call