Ransomware Groups Abusing Azure Storage Explorer For Stealing Data

Ransomware attackers are increasingly exfiltrating data using tools like MEGAsync and Rclone.

Shellbags analysis by modePUSH reveals their navigation of directories and file shares to find sensitive data.

Despite exfiltrating large amounts of data, attackers prioritize valuable and protected information.

The BianLian and Rhysida ransomware groups have been using Azure Storage Explorer to extract data from compromised systems.

This tool, available for various platforms, leverages AzCopy to transfer files from Azure storage, including blobs, shares, and disks.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

In one incident, BianLian copied hundreds of files from a company’s main file server using Azure Storage Explorer.

The threat actor proactively installed Azure Storage Explorer on the system, upgrading .NET to version 8 beforehand, which allowed them to store the main executable and additional files in either the user-specific or system-wide Program Files directory, depending on the installation choice.

AzCopy, a command-line utility for transferring data to and from Azure Storage, is commonly used by threat actors to exfiltrate data to Azure Blob Storage, a highly scalable and secure storage solution.

The approach is often favored due to its ability to handle large volumes of data and the low likelihood of network restrictions blocking outbound connections to Microsoft IP addresses.

Azure Blob Storage organizes data in a hierarchical structure.

Storage accounts serve as namespaces, while containers group blobs, which are individual data objects, which is analogous to buckets in other cloud providers like Amazon S3 and Google Cloud Storage.

Azure Storage Explorer uses AzCopy for file transfers and logs these operations at the INFO level by default, which can be adjusted in the tool’s settings.

For failed transfers, Azure Storage Explorer provides options to retry or view the detailed AzCopy log file.

AzCopy generates two types of logs for each job: regular and scanning, where regular logs, which are most useful for incident response, contain information like the AzCopy command and file activity details.

To detect data exfiltration, focus on UPLOADSUCCESSFUL and UPLOADFAILED events. Other events, like DOWNLOADSUCCESSFUL and DOWNLOADFAILED, can also be relevant depending on the incident.

The “Logout On Exit” setting in Azure Storage Explorer is not enabled by default, allowing threat actors to easily resume previous sessions and exfiltrate data to their controlled storage accounts.

The COPYSUCCESSFUL and COPYFAILED events in the AzCopy log file provide valuable insights into these data transfer activities.

modePUSH identified attackers using Azure Storage Explorer for data exfiltration, emphasizing the need for comprehensive forensic analysis during incident response to counter evolving ransomware and data exfiltration tactics.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial