A recent wave of attacks has exposed just how vulnerable cloud environments can be. A group of cybercriminals previously known for deploying ransomware in on-premise networks has now shifted its focus entirely to the cloud. Their method is calculated: first, they exfiltrate all files from the cloud environment, then systematically delete data and backups. Only after this do they demand ransom for data return.
To gain access, the attackers create a fake domain within Microsoft Entra ID, allowing them to log in as virtually any user. Once inside, they carefully map out sensitive datastores and backup locations such as Azure Blob Storage. After downloading the data, they erase all storage and backup systems. If certain resources are protected, the attackers switch to encrypting files and attempt to delete the associated keys. In rare cases, immutability settings and soft delete policies preserve the keys—but the damage is typically severe.
How Does This Cloud Ransomware Work?
The tactics used by this group differ significantly from traditional ransomware. Key characteristics include:
- Shift to the cloud: Instead of encrypting individual endpoints, attackers exfiltrate large volumes of data via cloud services and destroy backups. No classic malware is involved—the pressure comes from the apparent irreversibility of data loss.
- Backdoor via federated domain: By adding a malicious domain to the Entra ID tenant and using self-signed certificates, attackers issue SAML tokens and impersonate almost any user.
- Abuse of privileges: After logging in, the attackers escalate privileges with a single API call by assigning themselves the “User Access Administrator” role, and then promote themselves to “Owner” across all Azure subscriptions—gaining full access.
- Mass deletion and encryption: Once data is copied, standard Azure APIs are used to delete snapshots, restore points, and storage accounts. If resources are protected with locks or immutability policies, these are removed first. A new Key Vault is then created with an attacker-controlled encryption key to encrypt any remaining storage.
It only takes one unsecured account or forgotten server to trigger this attack chain. The combination of deep cloud expertise and misuse of legitimate functions makes these attacks difficult to detect.
Key Considerations for Your Cloud Security
This evolving attack model demands a multi-layered response. DataExpert recommends the following measures:
- Enforce Multi-Factor Authentication (MFA): MFA should be mandatory for all accounts and admin portals. In the incidents studied, a single account without MFA enabled allowed escalation.
- Continuous patching and updates: Keep operating systems, VPNs, and cloud components up to date to eliminate known vulnerabilities.
- Apply least privilege principles: Give users and service accounts only the access they truly need. Monitor password resets and role changes closely.
- Create immutable backups: Ensure backups cannot be altered or deleted. Store them offline or in a separate tenant, and test recovery procedures regularly.
- Monitor logs and API activity: Track role assignments, Key Vault operations, and storage modifications. Set alerts for unexpected privilege escalations or mass deletions.
- Invest in awareness and incident response: Train staff to recognize phishing and social engineering attempts. Maintain a tested incident response plan to ensure rapid action when needed.
DataExpert’s SOC Cloud Monitoring
Even with all the above measures in place, continuous monitoring is essential. DataExpert provides a Security Operations Center (SOC) that watches over your systems and cloud environment 24/7. Our security analysts identify suspicious logins, abnormal API calls, and privilege changes—taking action before attackers can cause harm.
We offer sector-specific monitoring tailored to the following domains:
- Healthcare: Through our affiliation with the Zorg Detectie Netwerk (ZDN), we monitor threats targeting hospitals and care providers and deliver sector-appropriate security infrastructure.
- Industry & OT: As operational and information technologies converge, we identify vulnerable connections and provide continuous monitoring across OT and IT systems.
- Logistics: Supply chains are vulnerable to disruption. Early threat detection helps prevent a single compromised link from halting the entire chain.
- Public Sector: Our SOC collaborates with the National Cyber Security Centre and Cyberveilig Nederland. We are familiar with frameworks such as BIO and BIG and already monitor multiple public-sector environments.
By combining this sector-specific expertise with advanced tooling, we recognize the early warning signs of attacks like Storm 0501—such as backdoor creation, privilege escalation, and large-scale deletions—allowing us to intervene in time.
How DataExpert Can Help
In addition to cloud monitoring, DataExpert offers a comprehensive portfolio to strengthen your resilience:
- Managed Security Awareness Training – Equip your staff to resist phishing and social engineering.
- Incident Response Support – Our specialists help you contain, investigate, and recover from incidents.
- Consulting and Compliance Advisory – We guide you in implementing regulations such as NIS2, BIO, and BIG, and advise on cyber strategy and architecture.
Want to know how our SOC Cloud Monitoring service can help protect your organisation against the latest generation of cloud ransomware? Get in touch with our experts. We’ll help you assess the risks and demonstrate how our solutions can secure your cloud environment.
