Storm-0501 — ATT&CK profile

Overview

Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.

Capabilities

Destructive / data-wiping operations — ATT&CK T1485
Exploitation of public-facing / client applications — ATT&CK T1190

TTPs — 42 techniques across 13 tactics

Resource Development

T1587.003 Digital Certificates
T1588.006 Vulnerabilities

Initial Access

T1190 Exploit Public-Facing Application

Execution

T1053.005 Scheduled Task
T1059.001 PowerShell
T1059.009 Cloud API

Persistence

T1098.001 Additional Cloud Credentials
T1098.003 Additional Cloud Roles

Stealth

T1027.002 Software Packing
T1036.004 Masquerade Task or Service
T1078.004 Cloud Accounts
T1218.010 Regsvr32
T1218.011 Rundll32

Defense Impairment

Credential Access

T1003 OS Credential Dumping
T1003.006 DCSync
T1110 Brute Force
T1552.004 Private Keys
T1555.005 Password Managers
T1555.006 Cloud Secrets Management Stores

Discovery

Impact

Tools & malware (8)

Impacket · Tasklist · Cobalt Strike · Embargo · Rclone · Nltest · Net · AADInternals

Reporting (3)

Storm-0501’s evolving techniques lead to cloud-based ransomware — Microsoft Threat Intelligence
Storm-0501: Ransomware attacks expanding to hybrid cloud environments — Microsoft Threat Intelligence
An In-Depth Look at Ransomware Gang, Sabbath — Avertium