Embargo Ransomware Expands Attacks to Cloud Environments

Introduction

Ransomware continues to evolve, and the latest escalation in tactics comes from the Embargo ransomware group. Threat actor Storm-0501, known for its previous ties to various ransomware groups, has now shifted its focus towards hybrid cloud environments, targeting both on-premise and cloud-based systems. This strategic shift poses significant risks for organizations relying on cloud infrastructure, particularly those in critical sectors such as healthcare, government, transportation, and law enforcement.

In this blog, we will explore Storm-0501's new approach, the vulnerabilities exploited, and the best practices that organizations can adopt to protect themselves against this expanding threat.

Storm-0501: A History of Evolving Tactics

Originally emerging in 2021, Storm-0501 began as a ransomware affiliate for the Sabbath ransomware group. Over time, they became adept at deploying file-encrypting malware from notorious groups such as Hive, BlackCat, LockBit, and Hunters International. Recently, they have been observed deploying Embargo ransomware, which has escalated their attacks into cloud environments, compromising valuable assets across sectors.

Storm-0501's latest attacks have hit organizations in healthcare, government, manufacturing, and law enforcement, specifically in the United States. This growing focus on high-value targets underscores the threat actor’s ability to adapt its strategies and expand its reach.

Exploiting Cloud Environments

Storm-0501 gains access to cloud environments through various tactics, typically exploiting weak credentials and leveraging privileged accounts. The attackers aim to steal data and deploy ransomware payloads, significantly increasing the risk for organizations with sensitive information stored across multiple platforms

Their entry into networks often starts with stolen or purchased credentials, or by exploiting known vulnerabilities, including CVE-2022-47966 (Zoho ManageEngine), CVE-2023-4966 (Citrix NetScaler), and others like CVE-2023-29300 or CVE-2023-38203 (ColdFusion 2016). These vulnerabilities enable the attackers to bypass security measures and gain control over internal systems.

Once inside the network, they use lateral movement techniques, often employing tools such as Impacket and Cobalt Strike, and steal data using customized Rclone binaries that mimic legitimate Windows tools. Additionally, Storm-0501 disables security agents with PowerShell scripts, making it even harder for organizations to detect or stop their malicious activities.

Attacking Microsoft Entra ID (Azure AD)

A key part of Storm-0501's strategy involves leveraging stolen Microsoft Entra ID (formerly Azure AD) credentials. By compromising synchronization accounts, they are able to move from on-premise systems to cloud environments seamlessly. This allows them to maintain persistence by hijacking privileged accounts and bypassing multi-factor authentication if it's not properly configured.

Once attackers gain control of Directory Synchronization Accounts, they may use specialized tools like AADInternals to change cloud passwords and bypass additional security layers. If domain admin or other privileged accounts exist both on-premise and in the cloud, and lack strong security protections, attackers can use these credentials to further compromise cloud infrastructure.

The ultimate goal is to deploy Embargo ransomware across both on-premise and cloud environments, disrupting operations and demanding significant ransoms from affected organizations.

Embargo Ransomware in Action

Embargo ransomware is part of a Ransomware-as-a-Service (RaaS) model, built on Rust-based malware. Affiliates who successfully breach companies deploy the ransomware and share profits with the developers. This affiliate model allows the Embargo group to operate on a global scale, exploiting companies with little regard for geographical boundaries.

In August 2024, an affiliate successfully attacked the American Radio Relay League (ARRL), securing $1 million in exchange for a working decryptor. Earlier in the year, another affiliate breached Firstmac Limited, an Australian mortgage lending firm, leaking 500GB of sensitive data after negotiations failed. Protecting Against Ransomware Attacks

With ransomware groups like Storm-0501 expanding their attack surface into cloud environments, organizations must adopt more robust security practices to safeguard their assets. Here are several strategies to mitigate the risks:

Conclusion

As ransomware tactics continue to evolve, with groups like Storm-0501 targeting hybrid cloud environments, it is imperative for organizations to stay ahead of the threat curve. By implementing strong security measures, including robust authentication protocols, regular risk assessments, and proactive monitoring, organizations can mitigate the damage of potential ransomware attacks and safeguard their most valuable assets.

Cyber threats are growing more sophisticated, but with a proactive, security-first approach, businesses can ensure that their cloud environments remain secure and resilient in the face of evolving dangers.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.