Microsoft's Threat Intelligence team has uncovered a new ransomware threat actor, Storm-050, targeting various critical sectors in the U.S., including government, manufacturing, transportation, and law enforcement. The group is now expanding its operations by targeting U.S. hospitals, which raises serious concerns for both public safety and cybersecurity.
In a new report from Microsoft, the company's threat intel team says Storm-050 has emerged as a sophisticated group with ransomware capabilities, focused on exploiting vulnerabilities to infiltrate systems and demand ransom payments. Its primary aim is to disrupt critical services and exfiltrate sensitive data for monetary gain. Initially focused on government and industrial sectors, the group has recently turned its attention to healthcare, which poses significant risks due to the sensitive nature of medical data and the potential for disruptions to life-saving operations.
From the report: "Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environment to cloud environments. They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises. Microsoft previously observed threat actors such as Octo Tempest and Manatee Tempest targeting both on-premises and cloud environments and exploiting the interfaces between the environments to achieve their goals."
The cybercriminals behind Storm-050 employ advanced social engineering techniques, including phishing emails to trick victims into granting access to internal systems. They also exploit known vulnerabilities in outdated systems or poorly secured networks. Once inside, they deploy ransomware, encrypting files and demanding hefty payments to restore access. The team at Microsoft also notes their use of double extortion tactics, where attackers not only encrypt data but threaten to publicly release sensitive information if their demands are not met.
"Given the complexity and scale of hybrid cloud environments, we are seeing attackers, including groups like Storm-0501, increasingly target these systems due to their larger attack surface and numerous potential entry points," said Patrick Tiquet, Vice President, Security & Architecture, at Keeper Security. "For security teams, staying ahead of these threats requires a comprehensive, proactive approach."
Tiquet continued: "One of the most important steps is adopting a zero trust architecture. This model restricts access based on continuous verification, ensuring that users only have access to the resources essential for their specific roles, minimizing exposure to malicious actors. Weak credentials remain one of the most vulnerable entry points in hybrid cloud environments, and groups like Storm-0501 are likely to exploit them. Security teams should prioritize strengthening password policies by enforcing strong, unique credentials for every account and implementing multi-factor authentication (MFA) across all systems. Utilizing PAM (privileged access management ) solutions can further safeguard privileged accounts by restricting access, monitoring, and regularly reviewing permissions."
Storm-050's shift in focus to hospitals has drawn considerable attention due to the critical infrastructure involved. Ransomware attacks on healthcare institutions can have devastating consequences, potentially disrupting patient care, emergency services, and compromising confidential medical records. Attacks on hospitals are particularly troubling, as many operate with legacy systems that may not be properly secured against modern threats, making them a prime target for threat actors.
Two U.S. senators, including the chair of the Senate Committee on Finance, on September 27 proposed a bill aimed at large healthcare corporations getting their cybersecurity houses in order.
With Storm-050's growing focus on high-value targets, the need for robust cybersecurity strategies has never been more urgent. Organizations in critical sectors—especially healthcare—must prioritize updating systems, strengthening network defenses, and educating employees on recognizing phishing attempts. A coordinated effort between private sector cybersecurity professionals, public sector agencies, and law enforcement will be key in mitigating the risks posed by groups like Storm-050.
The Microsoft Threat Intelligence team advises organizations in these sectors to:
- Patch systems regularly to address vulnerabilities.
- Use multi-factor authentication to prevent unauthorized access.
- Implement advanced threat detection tools to identify and block ransomware campaigns early.
- Increase employee training on recognizing phishing and other social engineering attacks.
"This report highlights the critical need for robust security measures across hybrid cloud environments. Security teams should prioritize strengthening identity and access management, implementing least privilege principles, and ensuring timely patching of internet-facing systems," said Stephen Kowski, Field CTO at SlashNext Email Security+. "Additionally, deploying advanced email and messaging security solutions can help prevent initial access attempts through phishing or social engineering tactics that often serve as entry points for these sophisticated attacks."
Patrick Ticquet added: "Centralizing Endpoint Device Management (EDM) is another essential move. Ensuring consistent security patching across all environments—whether cloud-based or on-premise—prevents attackers from exploiting known vulnerabilities. Finally, deploying advanced monitoring tools across hybrid environments helps security teams spot suspicious activity early, allowing them to act quickly before an intrusion can escalate into a full-blown breach."
