Threat Actor Profile
High APT
Description

Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.(Citation: Avertium Storm-0501 Sabbath Ransomware Arcane January 2022)(Citation: Microsoft Storm-501 Sabbath Ransomware Embargo September 2024)(Citation: Microsoft Storm-0501 Embargo Ransomware August 2025)(Citation: Google Mandiant Storm-0501 Sabbath Ransomware November 2021)

Confidence Score
90%
Known Aliases
Storm-0501
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (42)
T1530 - Data from Cloud Storage
Collection
T1219.002 - Remote Desktop Software
Command and Control
T1003 - OS Credential Dumping
Credential Access
T1003.006 - DCSync
Credential Access
T1110 - Brute Force
Credential Access
T1552.004 - Private Keys
Credential Access
T1555.005 - Password Managers
Credential Access
T1555.006 - Cloud Secrets Management Stores
Credential Access
T1556.009 - Conditional Access Policies
Credential Access
T1027.002 - Software Packing
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1078.004 - Cloud Accounts
Defense Evasion
T1218.010 - Regsvr32
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1484.001 - Group Policy Modification
Defense Evasion
T1484.002 - Trust Modification
Defense Evasion
T1578.003 - Delete Cloud Instance
Defense Evasion
T1057 - Process Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1087.004 - Cloud Account
Discovery
T1482 - Domain Trust Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1526 - Cloud Service Discovery
Discovery
T1580 - Cloud Infrastructure Discovery
Discovery
T1614.001 - System Language Discovery
Discovery
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.009 - Cloud API
Execution
T1537 - Transfer Data to Cloud Account
Exfiltration
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1485 - Data Destruction
Impact
T1486 - Data Encrypted for Impact
Impact
T1490 - Inhibit System Recovery
Impact
T1657 - Financial Theft
Impact
T1190 - Exploit Public-Facing Application
Initial Access
T1021.006 - Windows Remote Management
Lateral Movement
T1021.007 - Cloud Services
Lateral Movement
T1098.001 - Additional Cloud Credentials
Persistence
T1098.003 - Additional Cloud Roles
Persistence
T1587.003 - Digital Certificates
Resource Development
T1588.006 - Vulnerabilities
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Storm-0501'],
 'created': '2025-10-19T19:08:22.474Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Storm-0501](https://attack.mitre.org/groups/G1053) is a '
                'financially motivated cyber criminal group that uses '
                'commodity and open-source tools to conduct ransomware '
                'operations. '
                '[Storm-0501](https://attack.mitre.org/groups/G1053) has been '
                'active since 2021 and has previously been affiliated with '
                'Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) '
                'variants such as Hive, '
                '[BlackCat](https://attack.mitre.org/software/S1068), Hunters '
                'International, [LockBit '
                '3.0](https://attack.mitre.org/software/S1202), and '
                '[Embargo](https://attack.mitre.org/software/S1247) '
                'ransomware.(Citation: Avertium Storm-0501 Sabbath Ransomware '
                'Arcane January 2022)(Citation: Microsoft Storm-501 Sabbath '
                'Ransomware Embargo September 2024)(Citation: Microsoft '
                'Storm-0501 Embargo Ransomware August 2025)(Citation: Google '
                'Mandiant Storm-0501 Sabbath Ransomware November 2021)',
 'external_references': [{'external_id': 'G1053',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1053'},
                         {'description': 'Avertium. (2022, January 11). An '
                                         'In-Depth Look at Ransomware Gang, '
                                         'Sabbath. Retrieved October 19, 2025.',
                          'source_name': 'Avertium Storm-0501 Sabbath '
                                         'Ransomware Arcane January 2022',
                          'url': 'https://www.avertium.com/resources/threat-reports/in-depth-look-at-sabbath-ransomware-gang'},
                         {'description': 'Microsoft Threat Intelligence. '
                                         '(2024, September 26). Storm-0501: '
                                         'Ransomware attacks expanding to '
                                         'hybrid cloud environments. Retrieved '
                                         'October 19, 2025.',
                          'source_name': 'Microsoft Storm-501 Sabbath '
                                         'Ransomware Embargo September 2024',
                          'url': 'https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/'},
                         {'description': 'Microsoft Threat Intelligence. '
                                         '(2025, August 27). Storm-0501’s '
                                         'evolving techniques lead to '
                                         'cloud-based ransomware. Retrieved '
                                         'October 19, 2025.',
                          'source_name': 'Microsoft Storm-0501 Embargo '
                                         'Ransomware August 2025',
                          'url': 'https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/'},
                         {'description': 'Tyler McLellan, Brandan Schondorfer. '
                                         '(2021, November 29). Kitten.gif: '
                                         'Meet the Sabbath Ransomware '
                                         'Affiliate Program, Again. Retrieved '
                                         'October 19, 2025.',
                          'source_name': 'Google Mandiant Storm-0501 Sabbath '
                                         'Ransomware November 2021',
                          'url': 'https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/'}],
 'id': 'intrusion-set--7b404cd0-3ae9-41d4-90c0-023793d35d97',
 'modified': '2025-10-24T02:33:31.401Z',
 'name': 'Storm-0501',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (42)
Data from Cloud Storage
Collection
Remote Desktop Software
Command and Control
OS Credential Dumping
Credential Access
DCSync
Credential Access
Brute Force
Credential Access
View All 42 TTPs
Back to Threat Actors
Dashboard Home