Introduction
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware. Avertium Storm-0501 Sabbath Ransomware Arcane January 2022 Microsoft Storm-501 Sabbath Ransomware Embargo September 2024 Microsoft Storm-0501 Embargo Ransomware August 2025 Google Mandiant Storm-0501 Sabbath Ransomware November 2021
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1219.002 Remote Desktop Software
- T1537 Transfer Data to Cloud Account
- T1490 Inhibit System Recovery
- T1484.001 Group Policy Modification
- T1530 Data from Cloud Storage
- T1059.001 PowerShell
- T1485 Data Destruction
- T1053.005 Scheduled Task
- T1087.004 Cloud Account
- T1003.006 DCSync
- T1526 Cloud Service Discovery
- T1567.002 Exfiltration to Cloud Storage
- T1059.009 Cloud API
- T1021.007 Cloud Services
- T1021.006 Windows Remote Management
- T1190 Exploit Public-Facing Application
- T1057 Process Discovery
- T1518.001 Security Software Discovery
- T1486 Data Encrypted for Impact
- T1657 Financial Theft
- T1078.004 Cloud Accounts
- T1218.010 Regsvr32
- T1555.006 Cloud Secrets Management Stores
- T1555.005 Password Managers
- T1484.002 Trust Modification
- T1580 Cloud Infrastructure Discovery
- T1482 Domain Trust Discovery
- T1578.003 Delete Cloud Instance
- T1082 System Information Discovery
- T1027.002 Software Packing
- T1614.001 System Language Discovery
- T1552.004 Private Keys
- T1036.004 Masquerade Task or Service
- T1098.003 Additional Cloud Roles
- T1087.002 Domain Account
- T1218.011 Rundll32
- T1587.003 Digital Certificates
- T1588.006 Vulnerabilities
- T1556.009 Conditional Access Policies
- T1003 OS Credential Dumping
- T1110 Brute Force
- T1098.001 Additional Cloud Credentials
Ransomware Vulnerability Matrix observations
| Category | Vendor | Product | CVEs |
|---|---|---|---|
| Applications | Adobe | ColdFusion | CVE-2023-29300, CVE-2023-38203 |
| Virtualization | Citrix | NetScaler ADC & Gateway | CVE-2023-4966 |
| Applications | Zoho | ManageEngine ADSelfService Plus | CVE-2022-47966 |
ATT&CK technique IDs (denormalized)
- T1003
- T1003.006
- T1021.006
- T1021.007
- T1027.002
- T1036.004
- T1053.005
- T1057
- T1059.001
- T1059.009
- T1078.004
- T1082
- T1087.002
- T1087.004
- T1098.001
- T1098.003
- T1110
- T1190
- T1218.010
- T1218.011
- T1219.002
- T1482
- T1484.001
- T1484.002
- T1485
- T1486
- T1490
- T1518.001
- T1526
- T1530
- T1537
- T1552.004
- T1555.005
- T1555.006
- T1556.009
- T1567.002
- T1578.003
- T1580
- T1587.003
- T1588.006
- T1614.001
- T1657
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Backdoor.Oldrea
- CloudDuke
- CyberGate
- Cyber Eye RAT
- UNITEDRAKE
- Xploit
- Cobalt Strike
MITRE ATT&CK Software
- Impacket (S0357) — tool
- Tasklist (S0057) — tool
- Cobalt Strike (S0154) — malware
- Embargo (S1247) — malware
- Rclone (S1040) — tool
- Nltest (S0359) — tool
- Net (S0039) — tool
- AADInternals (S0677) — tool
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| Credential Theft | AADInternals, Find-KeePassConfig |
| Discovery | ADRecon, AzureHound, OSQuery, ossec-win32 |
| Exfiltration | AZCopy, MEGA, RClone |
| OffSec | Cobalt Strike, Evil-WinRM, Impacket |
| RMM Tools | AnyDesk, Level.io, NinjaOne |
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [2] Avertium Storm-0501 Sabbath Ransomware Arcane January 2022 Avertium. (2022, January 11). An In-Depth Look at Ransomware Gang, Sabbath. Retrieved October 19, 2025. [3] Microsoft Storm-501 Sabbath Ransomware Embargo September 2024 Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025. [4] Microsoft Storm-0501 Embargo Ransomware August 2025 Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025. [5] Google Mandiant Storm-0501 Sabbath Ransomware November 2021 Tyler McLellan, Brandan Schondorfer. (2021, November 29). Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again. Retrieved October 19, 2025.