Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Embargo Ransomware Expands Attacks to Cloud

September 30, 2024
Reading Time: 2 mins read
in Alerts
Embargo Ransomware Expands Attacks to Cloud

Microsoft has issued a stark warning regarding the ransomware group Storm-0501, which has recently intensified its attacks by targeting hybrid cloud environments using Embargo ransomware. Initially emerging in 2021 as an affiliate of the Sabbath ransomware operation, Storm-0501 has since expanded its capabilities by deploying various file-encrypting malware from notorious groups like Hive, BlackCat, and LockBit. The group’s shift in tactics now poses a serious threat to organizations across multiple sectors, including healthcare, government, manufacturing, and law enforcement in the United States.

The primary method used by Storm-0501 to gain access to cloud environments involves exploiting weak credentials and leveraging privileged accounts. They often utilize stolen or purchased credentials and exploit known vulnerabilities, such as CVE-2022-47966 in Zoho ManageEngine and CVE-2023-4966 in Citrix NetScaler. Once they penetrate an organization’s network, the attackers employ lateral movement techniques using frameworks like Impacket and Cobalt Strike. They also disable security agents through PowerShell cmdlets, allowing them to extract sensitive data before executing their ransomware payloads.

Once inside the cloud infrastructure, Storm-0501 establishes persistence by creating new federated domains within the Microsoft Entra tenant. This tactic enables them to authenticate as any user for which the “ImmutableID” property is known or has been set by them. By leveraging stolen Microsoft Entra ID credentials, they can effectively move between on-premises and cloud environments, compromising synchronization accounts and maintaining access for future operations. The group’s strategy often culminates in the deployment of Embargo ransomware, which can encrypt files across both on-premises and cloud systems.

Microsoft highlights that the threat actors do not always resort to deploying ransomware; in some instances, they maintain backdoor access to the network without encrypting files. The ransomware is typically deployed through compromised accounts like Domain Admin, utilizing scheduled tasks or Group Policy Objects (GPOs) to encrypt files throughout the organization. With a history of successful breaches, such as the attack on the American Radio Relay League in August 2024, Storm-0501 exemplifies the growing sophistication and danger of ransomware threats in today’s digital landscape.

Reference:
  • Embargo Ransomware Escalates Tactics Targeting Hybrid Cloud Environments
Tags: BlackCatCloudCyber AlertsCyber Alerts 2024Cyber threatsEmbargo RansomwareGovernmentHealthcareHiveLockBitmanufacturingMicrosoftRansomwareSabbathSeptember 2024Storm-0501
ADVERTISEMENT

Related Posts

Glibc Flaw Gives Linux Root Access Risk

Mozilla Urgent Firefox Patch Fixes RCE Flaws

May 19, 2025
Fileless Remcos RAT Delivery Via LNK Files

ModiLoader Malware Targets Windows Users

May 19, 2025
Glibc Flaw Gives Linux Root Access Risk

Glibc Flaw Gives Linux Root Access Risk

May 19, 2025
Fileless Remcos RAT Delivery Via LNK Files

APT28 RoundPress Webmail Hack Steals Emails

May 16, 2025
Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

May 16, 2025
Fileless Remcos RAT Delivery Via LNK Files

Fileless Remcos RAT Delivery Via LNK Files

May 16, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial