Table of Contents
In the ever-evolving landscape of cyber threats, ransomware groups continue to adapt their tactics, motivations, and targets. One such group that has garnered significant attention is Stormous. Initially emerging with claims that drew skepticism, Stormous has evolved, often collaborating with other entities and increasingly blending financial extortion with politically charged motivations. Operating primarily as a ransomware group employing double extortion tactics, Stormous poses a threat to organizations globally, demanding vigilance from security professionals. This article provides a profile of the Stormous ransomware group, detailing its origins, operational tactics, target preferences, notable campaigns, and essential defense strategies to help organizations mitigate the risks associated with this threat actor.
Origins & Evolution
Stormous first surfaced in the cybercrime scene around mid-2021, with activity notably increasing in 2022. Early reports, such as those from ZeroFox in February 2022, treated the group's claims of successful ransomware deployments with caution, suggesting that none had been independently verified at the time. There was speculation that Stormous might be conducting "scavenger operations," targeting victims whose data had already been compromised and leaked by other ransomware groups, aiming for quick financial gains by re-extorting victims or selling existing data. Initial assessments pointed towards financial motivation, with ransom notes reportedly written in Arabic.
However, the group's trajectory shifted. Later analyses and activities suggested a pivot or clarification towards politically motivated operations, often described as hacktivism combined with cybercrime. This evolution involved forming alliances with other threat groups. Most notably, Stormous forged a significant partnership with GhostSec, another hacking group known for its own ransomware (GhostLocker) and targeting of industrial systems and critical infrastructure, particularly in regions like Israel. This collaboration, seemingly solidified around mid-to-late 2023, led to joint double extortion campaigns and the launch of a Ransomware-as-a-Service (RaaS) platform named STMX_GhostLocker.
Stormous also claimed association with a broader collective known as the "Five Families," allegedly including GhostSec, ThreatSec, Blackforums, and SiegedSec. This network suggests a level of coordination and shared resources among these groups, amplifying their potential impact. Stormous utilized channels like Telegram to announce their activities and the new RaaS program, indicating a move towards more organized and public-facing operations, albeit within the confines of the cybercriminal underground. The group's evolution highlights a common trend where threat actors adapt their narratives and affiliations, potentially to increase notoriety, attract affiliates, or align with geopolitical currents. You may also want to know about the dark web.
Tactics & Techniques
Stormous employs a multifaceted approach that combines traditional ransomware tactics with strategies potentially influenced by its political leanings and collaborations, particularly with GhostSec. Their mode of operandi revolves around data encryption, extortion, and leveraging alliances. One of the attack methods is brute force.
Key Attack Stages & TTPs:
Initial Access: While specific initial access vectors for Stormous alone are less documented, ransomware groups commonly use methods like:
Phishing: Crafting emails with malicious attachments or links to trick users into executing malware or divulging credentials. Read more about types of phishing attacks.
Exploiting Vulnerabilities: Targeting unpatched vulnerabilities in public-facing applications, VPNs, or network devices. GhostSec, Stormous's partner, is known to target industrial control systems and leverage tools like "GhostSec Deep Scan" and "GhostPresser" for web compromise, suggesting these capabilities could be used in joint operations.
Compromised Credentials: Using stolen or weak credentials, often obtained from dark web markets or previous breaches, to access networks, particularly via Remote Desktop Protocol (RDP).
Execution & Encryption: Once access is gained, the ransomware payload is executed. In joint operations or via their RaaS, this could involve variants like GhostLocker 2.0 (a Go-based ransomware associated with GhostSec). This ransomware encrypts files on the victim's systems, often appending a specific extension (e.g., ".ghost" linked to GhostLocker). Critical system files may be excluded to ensure the machine remains operational enough for the victim to read the ransom note.
Extortion (Double Extortion): Stormous prominently uses double extortion.
Encryption: Files are rendered inaccessible, demanding a ransom for the decryption key.
Data Exfiltration & Leak Threat: Before or during encryption, sensitive data is stolen from the victim's network. Stormous then threatens to publish this data on their dedicated Data Leak Site (DLS) if the ransom is not paid within a specified deadline. This increases pressure on victims, especially those concerned about regulatory fines, reputational damage, or the exposure of confidential information.
Ransomware-as-a-Service (RaaS): Through their collaboration with GhostSec, Stormous operates the STMX_GhostLocker RaaS platform. This allows other cybercriminals (affiliates) to use their ransomware infrastructure in exchange for a share of the profits. The RaaS model typically provides affiliates with ransomware builders, configuration options (e.g., persistence methods, target directories, evasion techniques), and sometimes C2 infrastructure, significantly lowering the barrier to entry for conducting ransomware attacks. The STMX_GhostLocker platform reportedly offers various tiers or options for affiliates.
Command and Control (C2): Ransomware requires communication with attacker-controlled servers for sending encryption keys, receiving commands, or exfiltrating data. While specific Stormous C2 details are scarce, the infrastructure associated with GhostLocker 2.0 (used in the RaaS) was reportedly located in Russia.
Persistence & Defense Evasion: Like most ransomware, Stormous's payloads likely include mechanisms to maintain persistence (e.g., registry keys, scheduled tasks) and evade detection by security software (e.g., obfuscation, disabling security tools). You should know about the Windows Registry structure.
Their tactics demonstrate a blend of technical deployment of ransomware with psychological pressure through data leak threats, amplified by their RaaS operation and alliances, allowing them to scale attacks and target a wide range of victims.
Targets or Victimology
Stormous exhibits a complex targeting strategy influenced by both financial opportunism and declared political or hacktivist motivations. Their victimology spans various sectors and geographies.
Motivations:
Political/Hacktivist: Stormous has claimed political motivations for some attacks, framing them as acts against perceived enemies or in support of specific causes. This includes targeting organizations in countries based on geopolitical alignments and potentially using proceeds to fund other hacktivist activities. This narrative differentiates them from purely profit-driven groups.
Financial Gain: Despite political claims, financial enrichment remains a core driver. This is evident through ransom demands, the operation of the STMX_GhostLocker RaaS (which generates revenue from affiliates), and potentially selling stolen data. The early "scavenger operation" theory also points to a foundational financial motive.
Target Industries: The group does not appear limited to specific sectors. Based on reported attacks and collaborations (especially with GhostSec), targeted industries include:
Technology
Government
Education
Manufacturing
Finance
Healthcare
Food and Beverage (e.g., Duvel Moortgat Brewery)
Critical Infrastructure and Industrial Systems (leveraging GhostSec's focus)
Target Regions: Stormous demonstrates a global reach. Victims have been reported across numerous countries, indicating an opportunistic approach combined with potential geopolitical targeting:
Middle East: Early reports mentioned Saudi Arabia, Lebanon, Israel, Qatar, Turkiye, Egypt. GhostSec's known focus on Israel likely influences joint targeting.
Asia: China, India, Uzbekistan, Vietnam, Thailand, Indonesia.
Americas: United States, Cuba, Argentina, Brazil.
Europe: Poland, Belgium.
Africa: South Africa, Morocco.
This extensive list suggests that while political motives might direct some attacks, vulnerability and opportunity play significant roles.
Potential Impact: Attacks by Stormous can lead to severe consequences for victims:
Operational Disruption: Encryption of critical systems can halt business operations, as seen in the Duvel brewery attack, leading to production downtime and service unavailability.
Data Breach: Exfiltration of sensitive data (customer information, intellectual property, internal documents) can result in regulatory penalties (e.g., GDPR, CCPA), loss of competitive advantage, and long-term reputational damage.
Financial Loss: Costs include ransom payments (if made), recovery efforts, incident response services, legal fees, and potential revenue loss during downtime.
Public Relations Crisis: Politically motivated attacks or public data leaks can attract significant media attention and damage public trust. A supply chain attack is also a major concern.
Stormous's broad victimology underscores the need for organizations across sectors and regions to be prepared for ransomware threats driven by a mix of financial and ideological goals.
Attack Campaigns
Stormous has been associated with several attack campaigns since its emergence, evolving from initially doubted claims to more concrete incidents, often in collaboration with GhostSec.
Early Claims (2022): In early 2022, Stormous made numerous claims of successful intrusions against various organizations, including large conglomerates in India and Japanese video game companies. However, security researchers like ZeroFox noted at the time that these claims were largely unverified, raising questions about the group's actual capabilities versus their self-promotion.
Joint Campaigns with GhostSec (Mid-2023 onwards): The collaboration with GhostSec marked a more active and verifiable phase. Starting around July 2023, joint attacks were reported, initially targeting government entities in Cuba. This partnership solidified, leading to broader campaigns leveraging double extortion tactics.
Multi-Country Targeting (Late 2023 - Early 2024): Reports emerged detailing joint GhostSec/Stormous attacks impacting organizations across more than 15 countries. These campaigns utilized the STMX_GhostLocker RaaS and targeted sectors like Technology, Education, Manufacturing, and Government in diverse nations including China, India, Brazil, Poland, and several Middle Eastern and African countries.
Duvel Moortgat Brewery Attack (March 2024): One of the most high-profile attacks publicly attributed to Stormous occurred in March 2024 against the Belgian brewery Duvel Moortgat. Stormous claimed responsibility, stating they had stolen 88 GB of data and setting a ransom deadline. The attack caused significant operational disruption, forcing the shutdown of production lines at the company's sites in Belgium and the United States. This incident highlighted the group's capability to impact major international corporations and disrupt physical operations. One of the reasons of the attack could be the vulnerable components.
These campaigns illustrate Stormous's evolution from potentially exaggerated initial claims to participating in widespread, impactful ransomware operations, often leveraging partnerships to enhance their reach and capabilities.
Defenses
Defending against politically motivated ransomware groups like Stormous requires a multi-layered security strategy that addresses both technical vulnerabilities and human factors. Security professionals should implement the following measures:
Robust Backup and Recovery: Maintain regular backups of critical data using the 3-2-1 rule (three copies, two different media, one offsite). Ensure backups are immutable or air-gapped and test recovery procedures frequently.
Patch Management: Implement a rigorous patch management program to promptly address vulnerabilities in operating systems, applications, firmware, and particularly public-facing services (VPNs, RDP, web servers, file transfer solutions).
Strong Access Control:
Enforce the principle of least privilege.
Use strong, unique passwords for all accounts.
Implement Multi-Factor Authentication (MFA) wherever possible, especially for remote access, administrative accounts, and critical systems.
Network Security:
Segment networks to limit lateral movement. Isolate critical assets and systems.
Filter network traffic and block known malicious IP addresses and domains associated with ransomware C2 servers or DLS.
Secure Remote Desktop Protocol (RDP) by disabling it if unused, placing it behind a VPN with MFA, and monitoring logs for unusual activity.
Email and Web Security: Deploy advanced email security solutions to detect and block phishing emails. Use web filtering to block access to malicious websites.
Endpoint Security: Utilize modern Endpoint Detection and Response (EDR) solutions capable of detecting and responding to ransomware behaviors, not just signature-based threats. Configure anti-ransomware features and monitor endpoint activity closely.
User Awareness Training: Educate employees about phishing threats, social engineering tactics, and safe browsing habits. Train them to recognize suspicious emails, links, and attachments and report them immediately.
Incident Response Plan: Develop and maintain a comprehensive incident response plan specifically for ransomware attacks. This plan should outline steps for containment, eradication, recovery, and communication. Conduct regular drills and tabletop exercises.
Threat Intelligence: Subscribe to threat intelligence feeds to stay updated on Stormous TTPs, Indicators of Compromise (IOCs), targeted vulnerabilities, and evolving motivations. Monitor dark web forums and leak sites for mentions of your organization or data.
Secure Web Applications: Given the potential use of tools like GhostPresser by partners, ensure web applications are securely configured, regularly scanned for vulnerabilities, and protected by Web Application Firewalls (WAFs). Make sure you've protected by DDOS protection tools.
By implementing these comprehensive defenses, organizations can significantly reduce their risk exposure to Stormous and similar ransomware threats. You can use Kali Linux for ethical hacking.
What are Stormous's TTPs?
Based on observed activities and common ransomware practices, here are potential Tactics, Techniques, and Procedures (TTPs) associated with Stormous and its operations, aligned with the MITRE ATT&CK® framework:
|
Tactic
|
Technique ID
|
Technique Name
|
Notes
|
|---|---|---|---|
|
Reconnaissance
|
T1592
|
Gather Victim Host Information
|
Used extensively before and during intrusions.
|
|
T1595
|
Active Scanning
|
Implied for vulnerability discovery.
|
|
|
T1589
|
Gather Victim Identity Information
|
Targeting individuals via spear-phishing, tracking.
|
|
|
Resource Dev.
|
T1587.001
|
Develop Capabilities: Malware
|
Extensive use of custom malware (DEADEYE, LOWKEY, WyrmSpy, DragonEgg).
|
|
T1588.002
|
Obtain Capabilities: Tool
|
Acquiring and customizing tools like Cobalt Strike.
|
|
|
T1584.001
|
Compromise Infrastructure: Domains
|
Registering domains (e.g., umisen.com) for C2.
|
|
|
T1586.002
|
Compromise Accounts: Email Accounts
|
For spear-phishing campaigns.
|
|
|
Initial Access
|
T1566
|
Phishing
|
General: Spear-phishing with malicious attachments/links.<br>Ransomware: Common vector for ransomware delivery.
|
|
T1190
|
Exploit Public-Facing Application
|
General: Exploiting vulnerabilities (e.g., CVE-2019-3396, SQL Injection, Log4j).<br>Ransomware: Targeting vulnerabilities in web servers, VPNs, etc.
|
|
|
T1195.002
|
Compromise Software Supply Chain
|
Injecting malicious code into legitimate software updates/installers.
|
|
|
T1078
|
Valid Accounts
|
Ransomware: Using compromised credentials for initial access.
|
|
|
Execution
|
T1059.001
|
Command and Scripting Interpreter: PowerShell
|
Common LotL technique.
|
|
T1059.003
|
Command and Scripting Interpreter: Windows Command Shell
|
Standard execution method.
|
|
|
Command and Scripting Interpreter (Various)
|
Ransomware: Executing ransomware payload (e.g., PowerShell, Shell).
|
||
|
T1204.002
|
User Execution: Malicious File
|
General: Via phishing attachments.<br>Ransomware: User runs malicious attachment/download.
|
|
|
T1053.005
|
Scheduled Task/Job: Scheduled Task
|
General: Common persistence mechanism.<br>Ransomware: Another common persistence technique.
|
|
|
Persistence
|
T1547.001
|
Boot or Logon Autostart Execution: Registry Run Keys
|
General: Standard persistence method.<br>Ransomware: Common method for ransomware persistence.
|
|
T1543.003
|
Create or Modify System Process: Windows Service
|
For persistent backdoors.
|
|
|
T1542.003
|
Pre-OS Boot: Bootkit
|
Use of bootkits for stealthy persistence.
|
|
|
Privilege Escalation
|
T1068
|
Exploitation for Privilege Escalation
|
Targeting vulnerable software or configurations.
|
|
T1134
|
Access Token Manipulation
|
Common technique post-compromise.
|
|
|
Defense Evasion
|
T1027
|
Obfuscated Files or Information
|
General: Obfuscating payloads and C2 traffic (e.g., chunking Cobalt Strike, modified TLS).<br>Ransomware: Hiding malicious code.
|
|
T1562.001
|
Impair Defenses: Disable or Modify Tools
|
General: Disabling security software (e.g., WyrmSpy disabling SELinux).<br>Ransomware: Attempting to disable security software.
|
|
|
T1553.002
|
Subvert Trust Controls: Code Signing
|
Using stolen/forged digital certificates to sign malware.
|
|
|
T1036
|
Masquerading
|
Android malware disguising as legitimate apps; potentially renaming tools/services.
|
|
|
T1070.004
|
Indicator Removal on Host: File Deletion
|
Removing tools/logs post-execution.
|
|
|
T1480.001
|
Execution Guardrails: Environmental Keying
|
Ransomware: Checking environment before execution (less common but possible).
|
|
|
Credential Access
|
T1003
|
OS Credential Dumping
|
Standard technique for privilege escalation and lateral movement.
|
|
Discovery
|
T1082
|
System Information Discovery
|
General: Gathering host details.<br>Ransomware: Gathering info about the compromised system.
|
|
T1016
|
System Network Configuration Discovery
|
Mapping internal network.
|
|
|
T1083
|
File and Directory Discovery
|
General: Searching for valuable data.<br>Ransomware: Identifying files to encrypt.
|
|
|
T1057
|
Process Discovery
|
Identifying running processes, security tools.
|
|
|
T1049
|
System Network Connections Discovery
|
Understanding network communications.
|
|
|
T1135
|
Network Share Discovery
|
Ransomware: Finding network shares for encryption/lateral movement.
|
|
|
Lateral Movement
|
T1021.001
|
Remote Services: Remote Desktop Protocol
|
Common method if credentials are obtained.
|
|
T1021.002
|
Remote Services: SMB/Windows Admin Shares
|
General: Standard lateral movement in Windows environments.<br>Ransomware: Spreading ransomware across the network.
|
|
|
T1570
|
Lateral Tool Transfer
|
Moving tools like Cobalt Strike across the network.
|
|
|
Collection
|
T1005
|
Data from Local System
|
Collecting files from compromised hosts.
|
|
T1113
|
Screen Capture
|
Possible capability of backdoors/surveillanceware.
|
|
|
T1114
|
Email Collection
|
If mail servers/clients are compromised.
|
|
|
T1123
|
Audio Capture
|
Capability of WyrmSpy/DragonEgg.
|
|
|
T1125
|
Video Capture
|
Capability of WyrmSpy/DragonEgg (camera photos).
|
|
|
T1119
|
Automated Collection
|
Ransomware: Gathering specific file types for exfiltration.
|
|
|
T1560
|
Archive Collected Data
|
Ransomware: Compressing data before exfiltration.
|
|
|
Command & Control
|
T1071.001
|
Application Layer Protocol: Web Protocols (HTTP/S)
|
Common C2 channel, often using modified TLS.
|
|
Application Layer Protocol (Various)
|
Ransomware: Communicating with C2 servers (e.g., HTTPS, custom protocols).
|
||
|
T1105
|
Ingress Tool Transfer
|
General: Downloading additional tools/modules (Cobalt Strike, WyrmSpy/DragonEgg modules).<br>Ransomware: Downloading additional tools or ransomware modules.
|
|
|
T1573.002
|
Encrypted Channel: Asymmetric Cryptography
|
Use of TLS/SSL for C2.
|
|
|
T1090.002
|
Proxy: External Proxy
|
Potentially using compromised systems or infrastructure as proxies.
|
|
|
Exfiltration
|
T1041
|
Exfiltration Over C2 Channel
|
General: Common method for extracting stolen data.<br>Ransomware: Sending stolen data back to attacker infrastructure.
|
|
T1048
|
Exfiltration Over Alternative Protocol
|
Potentially using non-standard protocols if needed.
|
|
|
T1567
|
Exfiltration Over Web Service
|
Ransomware: Uploading stolen data to cloud storage or DLS.
|
|
|
Impact
|
T1486
|
Data Encrypted for Impact
|
General: Ransomware deployment (though sometimes limited/experimental).<br>Ransomware: Core ransomware function: encrypting files.
|
|
T1490
|
Inhibit System Recovery
|
General: Deleting shadow copies (common ransomware TTP).<br>Ransomware: Deleting shadow copies or backups to prevent recovery.
|
|
|
T1565.001
|
Data Manipulation: Stored Data Manipulation
|
Manipulation of virtual currency in games.
|
|
|
T1485
|
Data Destruction
|
Ransomware: Though rare for ransomware (usually encryption), could be used for purely political disruption.
|
Conclusion (approx. 100 words)
Stormous Ransomware represents a notable threat actor operating at the intersection of cybercrime and hacktivism. Initially met with skepticism, the group evolved, forming key alliances, particularly with GhostSec, and participating in widespread double extortion campaigns facilitated by their STMX_GhostLocker RaaS platform. Their targeting is broad, spanning multiple sectors and dozens of countries, driven by a combination of financial opportunism and stated political motivations. The disruption caused by attacks like the one on Duvel Moortgat underscores their potential impact. Defending against Stormous requires robust security hygiene, including regular backups, timely patching, strong access controls, network segmentation, advanced endpoint protection, and continuous vigilance informed by threat intelligence.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
• Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
• BianLian, The Shape-Shifting Ransomware Group
• Vice Society Ransomware Group
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 3, 2025
- April 2, 2025
- April 2, 2025
- April 2, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 3, 2025
- April 2, 2025
- April 2, 2025
- April 2, 2025
