Storm-0501 Ransomware Analytic Story and Tagging (#3871)

MHaggis · nasbench · patel-bhavin · web-flow · commit b6b0b47a6652 · 2026-01-22T22:32:14.000+01:00
---------

Co-authored-by: Nasreddine Bencherchali &lt;nasreddineb@splunk.com&gt;
Co-authored-by: Bhavin Patel &lt;bpatel@splunk.com&gt;
diff --git a/detections/cloud/azure_ad_new_federated_domain_added.yml b/detections/cloud/azure_ad_new_federated_domain_added.yml
@@ -1,7 +1,7 @@
 name: Azure AD New Federated Domain Added
 id: a87cd633-076d-4ab2-9047-977751a3c1a0
-version: 10
-date: '2025-10-14'
+version: 11
+date: '2026-01-20'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
@@ -62,6 +62,7 @@ tags:
   - Azure Active Directory Persistence
   - Scattered Lapsus$ Hunters
   - Hellcat Ransomware
+  - Storm-0501 Ransomware
   asset_type: Azure Active Directory
   mitre_attack_id:
   - T1484.002
diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml
@@ -1,7 +1,7 @@
 name: Azure AD Privileged Role Assigned
 id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a
-version: 11
-date: '2025-10-14'
+version: 12
+date: '2026-01-20'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
@@ -69,6 +69,7 @@ tags:
   - Azure Active Directory Persistence
   - NOBELIUM Group
   - Scattered Lapsus$ Hunters
+  - Storm-0501 Ransomware
   asset_type: Azure Active Directory
   mitre_attack_id:
   - T1098.003
diff --git a/detections/endpoint/common_ransomware_notes.yml b/detections/endpoint/common_ransomware_notes.yml
@@ -52,19 +52,20 @@ known_false_positives: |
 references: []
 tags:
   analytic_story:
-    - Chaos Ransomware
-    - Rhysida Ransomware
-    - Ransomware
-    - LockBit Ransomware
-    - Medusa Ransomware
-    - SamSam Ransomware
-    - Clop Ransomware
-    - Ryuk Ransomware
-    - Black Basta Ransomware
-    - Termite Ransomware
-    - Interlock Ransomware
-    - NailaoLocker Ransomware
-    - Hellcat Ransomware
+  - Chaos Ransomware
+  - Rhysida Ransomware
+  - Ransomware
+  - LockBit Ransomware
+  - Medusa Ransomware
+  - SamSam Ransomware
+  - Clop Ransomware
+  - Ryuk Ransomware
+  - Black Basta Ransomware
+  - Termite Ransomware
+  - Interlock Ransomware
+  - NailaoLocker Ransomware
+  - Hellcat Ransomware
+  - Storm-0501 Ransomware
   asset_type: Endpoint
   mitre_attack_id:
     - T1485
diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml
@@ -1,7 +1,7 @@
 name: Detect PsExec With accepteula Flag
 id: 27c3a83d-cada-47c6-9042-67baf19d2574
-version: 14
-date: '2025-12-15'
+version: 15
+date: '2026-01-22'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -95,6 +95,7 @@ tags:
   - Volt Typhoon
   - Seashell Blizzard
   - VanHelsing Ransomware
+  - Storm-0501 Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1021.002
diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml
@@ -1,7 +1,7 @@
 name: Detect RClone Command-Line Usage
 id: 32e0baea-b3f1-11eb-a2ce-acde48001122
-version: 15
-date: '2025-12-15'
+version: 16
+date: '2026-01-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -89,12 +89,13 @@ rba:
       type: process_name
 tags:
   analytic_story:
-    - Hellcat Ransomware
-    - DarkSide Ransomware
-    - Ransomware
-    - Black Basta Ransomware
-    - Cactus Ransomware
-    - Cisco Network Visibility Module Analytics
+  - Storm-0501 Ransomware
+  - Hellcat Ransomware
+  - DarkSide Ransomware
+  - Ransomware
+  - Black Basta Ransomware
+  - Cactus Ransomware
+  - Cisco Network Visibility Module Analytics
   asset_type: Endpoint
   mitre_attack_id:
     - T1020
diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml
@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage Process
 id: ffd5e001-2e34-48f4-97a2-26dc4bb08178
-version: 12
-date: '2025-10-14'
+version: 13
+date: '2026-01-20'
 author: Steven Dick, Sebastian Wurl, Splunk Community
 status: production
 type: Anomaly
@@ -106,6 +106,7 @@ tags:
   - Interlock Ransomware
   - GhostRedirector IIS Module and Rungan Backdoor
   - Scattered Lapsus$ Hunters
+  - Storm-0501 Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1219
diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml
@@ -1,7 +1,7 @@
 name: Disable Windows Behavior Monitoring
 id: 79439cae-9200-11eb-a4d3-acde48001122
-version: 17
-date: '2025-11-20'
+version: 18
+date: '2026-01-20'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -70,6 +70,7 @@ tags:
   - Cactus Ransomware
   - Scattered Lapsus$ Hunters
   - NetSupport RMM Tool Abuse
+  - Storm-0501 Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1562.001
diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml
@@ -1,7 +1,7 @@
 name: Impacket Lateral Movement Commandline Parameters
 id: 8ce07472-496f-11ec-ab3b-3e22fbd008af
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2026-01-20'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -84,6 +84,7 @@ tags:
   - Graceful Wipe Out Attack
   - Compromised Windows Host
   - CISA AA22-277A
+  - Storm-0501 Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1021.002
diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml
@@ -1,7 +1,7 @@
 name: Impacket Lateral Movement WMIExec Commandline Parameters
 id: d6e464e4-5c6a-474e-82d2-aed616a3a492
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2026-01-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -83,6 +83,7 @@ tags:
   - Graceful Wipe Out Attack
   - Compromised Windows Host
   - CISA AA22-277A
+  - Storm-0501 Ransomware
   asset_type: Endpoint
   atomic_guid: []
   mitre_attack_id:
diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml
@@ -1,7 +1,7 @@
 name: NLTest Domain Trust Discovery
 id: c3e05466-5f22-11eb-ae93-0242ac130002
-version: 9
-date: '2025-12-18'
+version: 10
+date: '2026-01-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -78,6 +78,7 @@ tags:
   - Rhysida Ransomware
   - IcedID
   - Ryuk Ransomware
+  - Storm-0501 Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1482
diff --git a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml
@@ -1,7 +1,7 @@
 name: SecretDumps Offline NTDS Dumping Tool
 id: 5672819c-be09-11eb-bbfb-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2026-01-20'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -71,6 +71,7 @@ tags:
   - Graceful Wipe Out Attack
   - Rhysida Ransomware
   - Credential Dumping
+  - Storm-0501 Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1003.003
diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml
@@ -73,6 +73,7 @@ tags:
   - ShrinkLocker
   - Storm-2460 CLFS Zero Day Exploitation
   - Scattered Spider
+  - Storm-0501 Ransomware
   - VoidLink Cloud-Native Linux Malware
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/wbadmin_delete_system_backups.yml b/detections/endpoint/wbadmin_delete_system_backups.yml
@@ -1,7 +1,7 @@
 name: WBAdmin Delete System Backups
 id: cd5aed7e-5cea-11eb-ae93-0242ac130002
-version: 9
-date: '2025-12-18'
+version: 10
+date: '2026-01-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -80,6 +80,7 @@ tags:
   - Prestige Ransomware
   - Chaos Ransomware
   - Storm-2460 CLFS Zero Day Exploitation
+  - Storm-0501 Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1490
diff --git a/detections/endpoint/windows_suspicious_c2_named_pipe.yml b/detections/endpoint/windows_suspicious_c2_named_pipe.yml
@@ -1,7 +1,7 @@
 name: Windows Suspicious C2 Named Pipe
 id: 90599d85-dc2a-4d4c-8c59-9485c3665828
-version: 1
-date: '2025-12-05'
+version: 2
+date: '2026-01-20'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -75,19 +75,20 @@ rba:
       type: process_name
 tags:
   analytic_story:
-    - APT37 Rustonotto and FadeStealer
-    - BlackByte Ransomware
-    - Brute Ratel C4
-    - Cobalt Strike
-    - DarkSide Ransomware
-    - Gozi Malware
-    - Graceful Wipe Out Attack
-    - Hellcat Ransomware
-    - LockBit Ransomware
-    - Meterpreter
-    - Remote Monitoring and Management Software
-    - Trickbot
-    - Tuoni
+  - Storm-0501 Ransomware
+  - APT37 Rustonotto and FadeStealer
+  - BlackByte Ransomware
+  - Brute Ratel C4
+  - Cobalt Strike
+  - DarkSide Ransomware
+  - Gozi Malware
+  - Graceful Wipe Out Attack
+  - Hellcat Ransomware
+  - LockBit Ransomware
+  - Meterpreter
+  - Remote Monitoring and Management Software
+  - Trickbot
+  - Tuoni
   asset_type: Endpoint
   mitre_attack_id:
     - T1559
diff --git a/stories/storm_0501_ransomware.yml b/stories/storm_0501_ransomware.yml
@@ -0,0 +1,47 @@
+name: Storm-0501 Ransomware
+id: 97b6cb8f-2b29-48e2-9d06-f9521302f955
+version: 1
+status: production
+date: '2026-01-20'
+author: Michael Haag, Splunk
+description: >
+  Detects tactics, techniques, and procedures (TTPs) associated with Storm-0501, a financially motivated 
+  ransomware-as-a-service (RaaS) affiliate that has evolved from targeting on-premises environments to 
+  sophisticated hybrid cloud attacks. Storm-0501 has deployed multiple ransomware families including 
+  Hive, BlackCat/ALPHV, Hunters International, LockBit, and most recently Embargo ransomware. The group 
+  is known for targeting government, manufacturing, transportation, law enforcement, and healthcare 
+  sectors, primarily in the United States. This analytic story provides comprehensive detection coverage 
+  for their complete attack chain, from initial credential abuse through Azure AD/Entra ID compromise 
+  and cloud-native ransomware deployment.
+narrative: >
+  Storm-0501, active since 2021 (originally operating as Sabbath/54bb47h), represents a significant 
+  evolution in hybrid cloud ransomware operations. Their attack methodology begins with exploitation 
+  of weak credentials and over-privileged accounts for initial access, followed by extensive Active 
+  Directory reconnaissance using tools like ADRecon. The group leverages Impacket tools (wmiexec, 
+  smbexec, atexec), PsExec, and legitimate RMM software (AnyDesk, Level.io, NinjaOne) for lateral 
+  movement, while Cobalt Strike provides command and control capabilities.
+  
+  The critical differentiator in Storm-0501 operations is their hybrid cloud pivot technique. After 
+  compromising on-premises infrastructure and extracting NTDS.dit credentials, the group targets 
+  Azure AD Connect sync accounts (MSOL_*, Sync_*) to gain access to cloud environments. Once in 
+  Azure AD/Entra ID, they establish persistence through federated domain manipulation, create backdoor 
+  service principals, and escalate privileges to Global Administrator. Recent intelligence indicates 
+  Storm-0501 has evolved toward cloud-native ransomware tactics, leveraging legitimate cloud APIs to 
+  exfiltrate data using Rclone, destroy Azure backups, and manipulate M365 retention policies without 
+  deploying traditional ransomware binaries. This evolution makes traditional endpoint-based detection 
+  insufficient and requires robust cloud audit log monitoring. Detections in this story cover credential 
+  dumping, lateral movement tools, defense evasion, Azure AD persistence mechanisms, backup deletion, 
+  and data exfiltration patterns characteristic of Storm-0501 campaigns.
+references:
+  - https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
+  - https://cyble.com/blog/embargo-ransomware/
+  - https://aadinternals.com/post/aadbackdoor/
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
+  cve: []
