The Stormous Extortion Group Strikes Back

KELA Cyber Intelligence Center

The Stormous group has been allegedly operating as a ransomware gang since 2021. The group’s data leak site, which had been inaccessible for a long time, got back online in July!

New pages added to Stormous Site

  • A main page, listing the gang’s recent victims
  • A “Shop” section. Currently, only several companies are listed, accompanied by the following description:
    “We give the right to sell the data of these two companies. We downloaded from their servers again another volume of important data”
  • A “Job Application” page, listing an open position whose requirements are as described: “individuals with expertise in various fields to enhance our capabilities in extortion and hacking”. Amongst the required skills are programming ransomware, phishing, and social engineering.
  • A “Contact” page with the group’s known TOX ID

Who are Stormous?

The Stormous group has been operating as an alleged ransomware gang since 2021, originally publicizing attacks and communicating with its followers through Telegram channels, then additionally via its Tor-based site. The Arabic-speaking group has claimed to have compromised a large number of victims, in many cases purportedly using ransomware, but has often failed to share proof of its intrusions. When data allegedly stolen from a victim was shared, often it was publicly available information, which raised questions regarding the group’s legitimacy and hacking abilities.

Stormous has officially sided with Russia in the country’s current conflict with Ukraine; this
choice may reflect the members’ political views but may also be influenced by a desire to
attract attention and to get involved in a highly mediatized conflict, thus attracting followers
who share similar views.

In July 2022, the group significantly decreased its public activities and claimed to have attacked only several victims later that year. So far, in 2023, the group has claimed more than 35 victims on their site and Telegram channel, where they have also demanded ransoms from some of their victims.

Partnership with GhostSec

Interestingly, the new extortion blog coincides with a recent partnership between Stormous and GhostSec, as announced on July 13, 2023, on GhostSec’s Telegram channel, where they officially declared their collaboration to target organizations in Cuba. Around the same time, three Cuban government ministries were listed on Stormous’ Telegram channel and extortion site, with posts signed by both Stormous and GhostSec. Additionally, GhostSec expressed the potential for future joint operations against other countries.


stormous extortion group


Useful Information

While Stormous presents itself as a ransomware operation and few mentions of malware
samples have emerged, it is still largely unclear whether Stormous actually uses ransomware, or even attacks most of its claimed victims. In several instances the group claimed it would
publish proofs of its successful attacks, but no such evidence was shared. KELA’s review of data allegedly stolen and shared by the group showed that the evidence provided were fake
since at least some of the information was available in dark web forums or in open-source
resources, which casts a doubt on the group’s claims and its supposed intrusions.

Therefore, each new attack of the group should be carefully investigated to assess its legitimacy.

stormous ransomware on KELA cyber threat intelligence platform

Stormous’ data leak site as shown on KELA’s Cyber Threat Intelligence platform

Stay Informed

For more Cyber Threat Intelligence updates visit our Research Center

Be the first to know about newly emerged threats! Try KELA’s Cyber Intelligence Platform for free