The Microsoft Threat Intelligence team has warned about a financially motivated threat actor known as Storm-0501. The group has been adapting tactics to steal data stored in the cloud and lock companies out of their systems. Essentially, these cloud-based ransomware tactics enable the threat actors to rapidly exfiltrate large volumes of data while destroying backups and demanding ransoms.

It was also found that they targeted subsidiaries lacking Microsoft security tools to evade detection, moved laterally across the network, and exploited an account that did not have multi-factor authentication enabled. After resetting the account's password and registering their own Multi-Factor Authentication (MFA) method, they gained full access to the cloud environment, created a backdoor, and accessed critical assets. The hacker stole sensitive data, deleted backups, and demanded a ransom, demonstrating a calculated and strategic approach to breaching the organisation's defences.

According to The Record, several security firms have reported that former ransomware hackers are now targeting data stored in the cloud. Over the past year, major breaches have involved the theft of data from providers such as Snowflake and Salesforce.

Recently, Google identified a campaign in which attackers used a third-party service to steal Salesforce data. Their goal was to obtain login credentials, allowing them to compromise victim environments further and potentially pivot into the systems of clients or partners, signalling a shift towards more strategic, credential-focused cloud attacks.