Thursday, May 8, 2025
HomeCyber Security NewsMicrosoft Warns of Ransomware Gangs Exploit Cloud Environments with New Techniques

Microsoft Warns of Ransomware Gangs Exploit Cloud Environments with New Techniques

Published on

SIEM as a Service

Follow Us on Google News

In a comprehensive analysis of the ransomware landscape in the first quarter of 2025, Microsoft Threat Intelligence has highlighted significant shifts in tactics by threat actors, marking a strategic evolution in their operations.

The analysis reveals a growing trend where ransomware groups are not only expanding their attack vectors but also targeting cloud environments with new and sophisticated techniques.

Ransomware as a Service (RaaS) Affiliates Enter the Scene

For the first time, Microsoft observed a state-affiliated threat actor, Moonstone Sleet from North Korea, engaging with a Ransomware-as-a-Service (RaaS) provider, Qilin, to deploy ransomware.

- Advertisement - Google News

Traditionally, this actor had only utilized custom ransomware, showing a shift towards leveraging established RaaS operators to enhance the efficiency of their attacks.

This development underscores the adaptability of state-sponsored actors in the ransomware ecosystem.

Hybrid Cloud Environment Vulnerabilities Exploited

The threat actor known as Storm-0501 has been noted for resuming its aggressive targeting of hybrid cloud environments.

This group has refined its approach by exploiting insecure hybrid accounts to move laterally from on-premises environments to cloud resources, where they delete backups and send extortion messages.

This tactic, detailed in previous reports by Microsoft (msft.it/6011S6VuW), demonstrates an understanding of cloud architecture vulnerabilities, making it a prime example of how lateral movement in cloud services is becoming a new frontier for ransomware attacks.

The leak of Black Basta’s group chat messages in February provided a rare insight into the operational intricacies of closed ransomware groups.

The chats revealed the use of Citrix, Jenkins, and VPN exploits, alongside weak ESXi authentication and compromised SSH for lateral movement.

Black Basta, known for its selective and sophisticated targeting, has been noted for its activity overlap with groups like Storm-1674 and others, suggesting an interconnected network of threat actors sharing techniques and infrastructure.

Storm-1175 has been particularly active in exploiting newly disclosed vulnerabilities in remote monitoring and management (RMM) tools like SimpleHelp.

By leveraging critical vulnerabilities CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, this actor has been able to rapidly deploy Medusa ransomware, emphasizing the importance of timely patching and the reuse of known vulnerabilities by ransomware actors.

Fake IT scams continue to serve as a primary initial access vector for many ransomware groups.

Actors like Storm-2410 and Storm-1674 utilize these methods to gain initial footholds, often leading to the deployment of remote access tools like Quick Assist or PowerShell scripts for further control.

The use of these methods indicates an ongoing reliance on social engineering as an effective entry point for ransomware.

Microsoft’s detailed report serves as a critical reminder to enterprises about the evolving nature of ransomware threats, particularly in how they exploit cloud environments and leverage new vulnerabilities or social engineering tactics.

As attackers adapt, so must cybersecurity strategies, focusing not only on traditional endpoint protection but also on securing cloud infrastructure and ensuring robust backup solutions are in place to mitigate the impact of such sophisticated attacks.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...