Update: Storm-0501 Shifts to Cloud-Based Ransomware and Data Extortion
Storm-0501, a financially motivated threat actor active since at least 2021, has shifted from traditional on-premises ransomware to a new model centered on cloud-based data theft, encryption, and extortion. Historically tied to Sabbath, Hive, BlackCat, LockBit, and Embargo ransomware, the group once relied on encrypting endpoints and servers before demanding decryption keys. Now, they exploit weaknesses in hybrid cloud setups by compromising Active Directory and Entra ID tenants, often abusing Directory Synchronization Accounts and taking advantage of weak or missing multifactor authentication. Once inside, they escalate to Global Administrator or Owner roles and establish persistence through malicious federated domains, allowing them to impersonate users and bypass protections. With these privileges, they disable defenses, enumerate assets, and focus on cloud resources instead of on-premises endpoints. Recent campaigns reveal a destructive “steal-and-destroy” approach, where attackers exfiltrate sensitive data, delete snapshots and backups, and, in some cases, encrypt remaining cloud data with new customer-controlled keys. Victims are then contacted directly, even through Microsoft Teams accounts, to receive ransom demands. This evolution highlights the increasing difficulty of defending against adversaries that rely on native cloud features rather than deploying traditional ransomware binaries. Microsoft warns that gaps in Defender coverage, incomplete logging, and weak identity hygiene create the conditions Storm-0501 exploits most effectively. Organizations are urged to strengthen cloud identity protections, enforce phishing-resistant MFA, lock down high-privilege accounts, and enable safeguards like immutability and soft-delete policies on storage. A layered defense that combines endpoint, identity, and cloud controls is now essential to counter this shift toward cloud-native extortion operations.
Update: Salt Typhoon Campaigns Tied to Chinese Tech Firms and Global Espionage
Salt Typhoon is a long-running Chinese cyber espionage operation that U.S., UK, and allied intelligence services have now tied to three China-based technology firms working with the Ministry of State Security and the People’s Liberation Army. Active since at least 2021, the group has compromised government, military, transportation, and telecommunications networks worldwide to monitor communications and track individuals of interest. Recent campaigns have placed a heavy emphasis on telecommunications providers, allowing the attackers to intercept text messages, voicemails, and even law enforcement wiretap systems. These efforts go beyond direct targets, with compromised edge devices in unrelated organizations used as stepping stones to pivot into more sensitive environments. Past incidents include intrusions into major U.S. carriers and a months-long breach of a U.S. Army National Guard network, underscoring the scope and persistence of these operations. Salt Typhoon achieves access by exploiting well-documented, long-patched vulnerabilities in widely deployed products, including flaws in Ivanti Connect Secure, Palo Alto PAN-OS, and multiple Cisco platforms. Once inside, they manipulate configurations, enable unauthorized tunnels, capture authentication traffic, and deploy custom Golang-based tools to exfiltrate sensitive data. The reliance on known vulnerabilities highlights a persistent gap in patch management, with attackers prioritizing reliability and scale over stealth or zero-day exploits. Intelligence agencies are urging organizations to prioritize patching, disable unused features, including Cisco Smart Install, harden device configurations, and monitor for suspicious changes or tunnels. Administrators are further advised to restrict management access, enforce secure protocols, and review networks for indicators of compromise. The campaigns reflect both the reach of state-backed espionage efforts and the ongoing risk posed by unpatched infrastructure that remains exposed at the network edge.
"PromptLock" The First AI-Powered Ransomware Leveraging Local LLMs
ESET researchers have uncovered a new proof-of-concept ransomware family called PromptLock, which is notable for being the first malware to rely on a local large language model to build its attack code on the victim’s own machine. Instead of carrying prewritten payloads, PromptLock includes prompts that are sent to a locally hosted copy of OpenAI’s gpt-oss:20b model through the Ollama API. When executed, it asks the model to generate Lua scripts on demand that handle reconnaissance, file searching, data theft, and encryption. By generating fresh code for each stage of the attack, the malware avoids having a fixed signature, making it more difficult for traditional detection systems to identify. Analysis has also revealed that PromptLock was built in the Go programming language, and samples were found to target both Windows and Linux environments. The Lua scripts created by the model perform tasks, including gathering system details, inspecting directories for files containing personal or financial data, sending stolen information back to the attacker's servers, and encrypting local files using the lightweight SPECK 128-bit cipher. Lua was chosen because it can run on multiple operating systems with minimal overhead, allowing the ransomware to spread more easily across different environments. Evidence suggests that the malware is still experimental, with unfinished components including a stubbed data destruction feature and a placeholder Bitcoin address linked to the name of Satoshi Nakamoto. These traits suggest that the developers are testing methods rather than conducting large-scale campaigns. Even so, the concept demonstrates a dangerous shift toward ransomware that can change its behavior in real time, generated by AI models running locally. Organizations should prepare by controlling access to local AI tools, monitoring for unusual script generation activity, and tightening defenses on systems that run LLMs, as this approach to dynamic malware is likely to become more common.
