G1053: Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]
Analyst context for executives and security teams
Storm-0501 matters because MITRE describes it as a financially motivated cyber criminal group tied to ransomware operations and use of commodity/open-source tooling. The relationship set is especially relevant to hybrid environments: it includes Windows administration utilities, credential dumping and DCSync, WinRM lateral movement, cloud account access, cloud API execution, added cloud credentials/roles, Rclone, Cobalt Strike, and Embargo ransomware. For leaders, the decision point is whether ransomware readiness covers identity, Active Directory, cloud tenants, and data movement together—not just endpoint malware blocking.
Executive priority
Treat this as a ransomware resilience and hybrid identity governance use case. Executives should ask whether the organization can prove control over privileged domain accounts, cloud admin roles, added credentials, remote management pathways, and unusual bulk file synchronization. Budget and audit attention should prioritize evidence that identity changes, cloud API activity, endpoint execution, and lateral movement are logged, retained, and actionable during an incident. Because ATT&CK provides no official detection text for this group object, local validation is required rather than assuming existing tools provide coverage.
Technical view
SOC and IR teams should map coverage from the listed relationships rather than from the group object alone. Validate detections for credential access such as OS Credential Dumping and DCSync; lateral movement through WinRM and cloud services; execution through PowerShell and cloud APIs; persistence or privilege escalation through added cloud credentials and roles; discovery through Net, Nltest, Tasklist, domain/cloud account enumeration, process discovery, and system information discovery; and data movement/tooling indicators associated with Rclone, Cobalt Strike, Impacket, AADInternals, and Embargo. Prioritize correlation across endpoint, Active Directory, identity provider, SaaS/IaaS, and network telemetry because the supplied relationships span on-premises Windows and cloud identity/control planes.
Likely telemetry
- Endpoint process creation and command-line logs for Net, Nltest, Tasklist, PowerShell, schtasks, WinRM-related activity, Rclone, Impacket, AADInternals, and suspicious packed binaries
- Windows security, service, scheduled task, PowerShell, and remote management logs
- Domain controller and directory replication telemetry relevant to DCSync and privileged account activity
- Identity provider and cloud audit logs for sign-ins, cloud API execution, role assignment changes, service principal/application credential additions, and cloud account enumeration
- Network telemetry for remote administration, SMB/Windows administrative activity where logged, cloud service access, and large or unusual synchronization flows
Detection direction
- Start with identity-led correlation: privileged logons, domain replication requests, WinRM sessions, cloud sign-ins, cloud API activity, and changes to cloud roles or credentials should be reviewed together.
- Tune administrative-tool detections carefully. Net, Nltest, Tasklist, PowerShell, WinRM, and cloud administration interfaces are legitimate, so detection should emphasize unusual user, host, time, scope, privilege level, or sequence of activity.
- Validate visibility for cloud persistence paths, especially new credentials on applications/service principals and unexpected privileged role assignments.
- Hunt for discovery-to-lateral-movement chains: account enumeration, process/system discovery, credential access, remote execution, and then data synchronization or ransomware tooling.
- Use relationship-driven tool context, but avoid relying only on static indicators. Commodity and open-source tools can be renamed, packed, or used legitimately by administrators.
Mitigation priorities
- Prioritize privileged identity hardening across Active Directory and cloud tenants, including least privilege, review of privileged groups/roles, and monitoring of role and credential changes.
- Reduce unnecessary remote administration exposure by governing WinRM and administrative pathways, with strong authentication and logging for authorized use.
- Improve cloud security posture by reviewing service principals/applications, added credentials, privileged role assignments, and API access patterns.
- Strengthen endpoint controls and logging for PowerShell, scheduled tasks, service/task masquerading, suspicious packing, and known dual-use tooling.
- Prepare ransomware response playbooks that include identity containment, cloud session/token review, domain controller protection, data movement investigation, and recovery decision points.
Analyst notes and limits
This take is derived from the official MITRE group description, external references, and supplied relationships. The most important defensive signal is the breadth of related behaviors: ransomware operations using commodity/open-source tooling with relationships spanning credential access, lateral movement, discovery, execution, persistence/privilege escalation, cloud services, and ransomware-associated software. The object itself has no official detection section and no directly specified platforms or tactics, so platform and tactic guidance is based on the related software and techniques only.
ATT&CK does not provide official detection guidance for Storm-0501 in the supplied fields. The group object does not specify platforms or tactics directly. The external references are listed but not independently analyzed beyond the supplied metadata. Local environment architecture, enabled logging, identity design, cloud providers, and approved administrative tool usage are required to determine actual exposure and detection coverage.
Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | Storm-0501 has used legitimate remote monitoring and management (RMM) tools including AnyDesk, NinjaOne, and Level.io.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1537 | Transfer Data to Cloud Account | Storm-0501 has copied data from the victims environment to their own infrastructure leveraging AzCopy CLI.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1490 | Inhibit System Recovery | Storm-0501 has deleted snapshots, restore points, storage accounts, and backup services to prevent remediation and restoration.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 Storm-0501 has also impacted Azure resources through the targeting of `Microsoft.Compute/snapshots/delete`, `Microsoft.Compute/restorePointCollections/delete`, `Microsoft.Storage/storageAccounts/delete`, and `Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete`.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | Storm-0501 distributed Group Policy Objects to tamper with security products.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1530 | Data from Cloud Storage | Storm-0501 had modified Azure Storage account resources through the `Microsoft.Storage/storageAccounts/write` operation to expose non-remotely accessible accounts for data exfiltration.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Storm-0501 has leveraged PowerShell to execute commands and scripts.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1485 | Data Destruction | Storm-0501 has destroyed data and backup files.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Storm-0501 had used a scheduled task named “SysUpdate” that was registered via GPO on devices in the network to distribute the Embargo ransomware.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1087.004 | Cloud Account Sub-technique | Storm-0501 has conducted enumeration of users, roles, and resources within victim Azure tenants using the tool Azurehound.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1003.006 | DCSync Sub-technique | Storm-0501 has utilized DCSync to extract credentials from victims.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1526 | Cloud Service Discovery | Storm-0501 has discovered the victim environment’s protections to include Azure policies, resource locks, and Azure Storage immutability policies.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Storm-0501 has exfiltrated stolen data to the MEGA file sharing site.CitationGoogle Mandiant Storm-0501 Sabbath Ransomware November 2021 Storm-0501 has also utilized Rclone to exfiltrate data from victim environments to cloud storage such as MegaSync.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 Storm-0501 has exfiltrated data to their own infrastructure utilizing AzCopy Command-Line tool (CLI).CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1059.009 | Cloud API Sub-technique | Storm-0501 has leveraged Cloud CLI to execute commands and exfiltrate data from compromised environments.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1021.007 | Cloud Services Sub-technique | Storm-0501 has used compromised Entra Connect Sync Server to move laterally within the victim environment.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1021.006 | Windows Remote Management Sub-technique | Storm-0501 has utilized the post-exploitation tool known as Evil-WinRM that uses PowerShell over Windows Remote Management (WinRM) for remote code execution.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1190 | Exploit Public-Facing Application | Storm-0501 has exploited N-day vulnerabilities associated with public facing services to gain initial access to victim environments to include Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler “Citrix Bleed” (CVE-2023-4966), and Adobe ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203).CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1057 | Process Discovery | Storm-0501 has discovered running processes through `tasklist.exe`.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Storm-0501 has detected endpoint security solutions using `sc query sense` and `sc query windefend`.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1486 | Data Encrypted for Impact | Storm-0501 has encrypted files in victim environments using ransomware as a service (RaaS) including Sabbath, Hive, BlackCat, Hunters International, LockBit 3.0 and Embargo ransomware.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1657 | Financial Theft | Storm-0501 has engaged in double-extortion ransomware, exfiltrating data and directly contacting victims when the primary organization refuses to pay along with posting data on their data leak sites.CitationAvertium Storm-0501 Sabbath Ransomware Arcane January 2022CitationMicrosoft Storm-0501 Embargo Ransomware August 2025CitationGoogle Mandiant Storm-0501 Sabbath Ransomware November 2021 |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | Storm-0501 has leveraged compromised accounts to access Microsoft Entra Connect, which was used to synchronize on-premises identities and Microsoft Entra identities, allowing users to sign into both environments with the same password.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 Storm-0501 has also used the victim Global Administrator account that lacked any registered MFA method to access victim cloud environments.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 Storm-0501 has leveraged Storage Account Access Keys within the victim environment.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Storm-0501 has launched Cobalt Strike Beacon files using regsvr32.exe.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1555.006 | Cloud Secrets Management Stores Sub-technique | Storm-0501 has utilized Azure Key Vault to store the encryption key using the operation `Microsoft.KeyVault/Vaults/write`.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1555.005 | Password Managers Sub-technique | Storm-0501 has stolen credentials contained in the password manager Keepass by utilizing Find-KeePassConfig.ps1.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1484.002 | Trust Modification Sub-technique | Storm-0501 created a new federated domain within the victim Microsoft Entra tenant using Global Administrator level access to establish a persistent backdoor for later use.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1580 | Cloud Infrastructure Discovery | Storm-0501 has enumerated compromised cloud environments to identify critical assets, data stores, and back resources.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1482 | Domain Trust Discovery | Storm-0501 has used Windows native utility Nltest `nltest.exe` for discovery.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1578.003 | Delete Cloud Instance Sub-technique | Storm-0501 has conducted mass deletion of cloud data stores and resources from Azure subscriptions.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1082 | System Information Discovery | Storm-0501 has leveraged native Windows tools and commands such as `systeminfo` and open-source tools including OSQuery and ossec-win32 to query details about the endpoint.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Storm-0501 has used Themida to pack Cobalt Strike payloads.CitationGoogle Mandiant Storm-0501 Sabbath Ransomware November 2021 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Storm-0501 has identified system language codes on a compromised host to determine if the victim falls under a non-supported language code that is prohibited for targeting, including victims associated with Russia and other Commonwealth of Independent States (CIS) that may draw attention of law enforcement in countries where the ransomware operator or affiliates may reside/operate from.CitationAvertium Storm-0501 Sabbath Ransomware Arcane January 2022CitationGoogle Mandiant Storm-0501 Sabbath Ransomware November 2021 |
| Enterprise | T1552.004 | Private Keys Sub-technique | Storm-0501 has leveraged the Azure Owner role to access and steal the Storage Account Access keys using the `Microsoft.Storage/storageAccounts/listkeys/action` operation.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Storm-0501 has utilized Rclone masqueraded as svhost.exe and scvhost.exe.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1098.003 | Additional Cloud Roles Sub-technique | Storm-0501 has elevated their access to Azure resources using `Microsoft.Authorization/elevateAccess/action` and `Microsoft.Authorization/roleAssignments/write` operations to gain User Access Administrator and Owner Azure roles over the victims’ Azure subscriptions.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Storm-0501 has utilized an obfuscated version of the Active Directory reconnaissance tool ADRecon.ps1 (obfs.ps1 or recon.ps1) to discover domain accounts.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Storm-0501 has launched Cobalt Strike Beacon files with rundll32.exe.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1587.003 | Digital Certificates Sub-technique | Storm-0501 has utilized their own self-signed TLS certificate “Microsoft IT TLS CA 5” with their infrastructure.CitationGoogle Mandiant Storm-0501 Sabbath Ransomware November 2021 |
| Enterprise | T1588.006 | Vulnerabilities Sub-technique | Storm-0501 has obtained capabilities to exploit N-day vulnerabilities associated with public facing services to gain initial access to victim environments to include Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler “Citrix Bleed” (CVE-2023-4966), and Adobe ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203).CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1556.009 | Conditional Access Policies Sub-technique | Storm-0501 has registered their own MFA method, and leveraged a victim hybrid joined server to circumvent Conditional Access Policies.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
| Enterprise | T1003 | OS Credential Dumping | Storm-0501 has used the SecretsDump module within Impacket can perform credential dumping to obtain account and password information.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1110 | Brute Force | Storm-0501 has leveraged brute force attacks to obtain credentials.CitationMicrosoft Storm-501 Sabbath Ransomware Embargo September 2024 |
| Enterprise | T1098.001 | Additional Cloud Credentials Sub-technique | Storm-0501 has reset the password of identified administrator accounts that lack MFA and registered their own MFA method.CitationMicrosoft Storm-0501 Embargo Ransomware August 2025 |
Groups, software, and campaigns
S0357: Impacket
S0057: Tasklist
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S1247: Embargo
Embargo is a ransomware variant written in Rust that has been active since at least May 2024.[1][2] Embargo ransomware operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid.[1][2] Embargo ransomware has been known to be delivered through a loader known as MDeployer which also leverages a malware component known as MS4Killer that facilitates termination of processes operating on the victim hosts.[2] Embargo is also reportedly a Ransomware as a Service (RaaS).[2]
S1040: Rclone
S0359: Nltest
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0677: AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ccdd8b9ffe35… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Avertium Storm-0501 Sabbath Ransomware Arcane January 2022
Avertium. (2022, January 11). An In-Depth Look at Ransomware Gang, Sabbath. Retrieved October 19, 2025.
Open source URL -
[2]
Microsoft Storm-501 Sabbath Ransomware Embargo September 2024
Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025.
Open source URL -
[3]
Microsoft Storm-0501 Embargo Ransomware August 2025
Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.
Open source URL -
[4]
Google Mandiant Storm-0501 Sabbath Ransomware November 2021
Tyler McLellan, Brandan Schondorfer. (2021, November 29). Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again. Retrieved October 19, 2025.
Open source URL -
[5]
mitre-attack G1053Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.