Skip to content

Storm-0501 Ransomware Analytic Story #3871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MHaggis wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Storm-0501 Ransomware Analytic Story #3871

MHaggis wants to merge 2 commits into from

Conversation

@MHaggis
Copy link
Contributor

@MHaggis MHaggis commented Jan 20, 2026
edited
Loading

Storm-0501 Ransomware Analytic Story

Summary

Adds a new analytic story for Storm-0501, a financially motivated RaaS affiliate known for hybrid cloud ransomware attacks targeting government, healthcare, and critical infrastructure sectors.

New Analytic Story

  • stories/storm_0501_ransomware.yml

Tagged Detections (14)

Detection Category
Detect RClone Command-Line Usage Exfiltration
Common Ransomware Notes Impact
WBAdmin Delete System Backups Impact
Suspicious wevtutil Usage Defense Evasion
Disable Windows Behavior Monitoring Defense Evasion
Windows Suspicious C2 Named Pipe Command & Control
Impacket Lateral Movement Commandline Parameters Lateral Movement
Impacket Lateral Movement WMIExec Commandline Parameters Lateral Movement
Detect PsExec With accepteula Flag Lateral Movement
Detect Remote Access Software Usage Process Command & Control
SecretDumps Offline NTDS Dumping Tool Credential Access
NLTest Domain Trust Discovery Discovery
Azure AD New Federated Domain Added Persistence
Azure AD Privileged Role Assigned Privilege Escalation

References

@MHaggis
Storm-0501 Ransomware Analytic Story
44f86e0 
### Summary
Adds a new analytic story for **Storm-0501**, a financially motivated RaaS affiliate known for hybrid cloud ransomware attacks targeting government, healthcare, and critical infrastructure sectors.

### New Analytic Story
- `stories/storm_0501_ransomware.yml`

### Tagged Detections (14)

| Detection | Category |
|-----------|----------|
| Detect RClone Command-Line Usage | Exfiltration |
| Common Ransomware Notes | Impact |
| WBAdmin Delete System Backups | Impact |
| Suspicious wevtutil Usage | Defense Evasion |
| Disable Windows Behavior Monitoring | Defense Evasion |
| Windows Suspicious C2 Named Pipe | Command & Control |
| Impacket Lateral Movement Commandline Parameters | Lateral Movement |
| Impacket Lateral Movement WMIExec Commandline Parameters | Lateral Movement |
| Detect PsExec With accepteula Flag | Lateral Movement |
| Detect Remote Access Software Usage Process | Command & Control |
| SecretDumps Offline NTDS Dumping Tool | Credential Access |
| NLTest Domain Trust Discovery | Discovery |
| Azure AD New Federated Domain Added | Persistence |
| Azure AD Privileged Role Assigned | Privilege Escalation |

### References
- [Microsoft: Storm-0501 Ransomware attacks expanding to hybrid cloud environments](https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

@nasbench nasbench Awaiting requested review from nasbench nasbench is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Detections Stories

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MHaggis