| Category:
Adversary Intelligence |
Industry:
Multiple |
Region:
India |
Source*:
E2 |
Executive Summary
- CloudSEK’s Threat Intelligence team has identified Stormous ransomware campaigns targeting multiple organizations globally. The threat group is financially motivated and their latest chain of attacks has been directed at Indian entities as well.
- CloudSEK’s Stormous ransomware attribution report that was published earlier, identifies Stormous ransomware as an Arabic group that operates on Telegram and on their Onion site.
- The leaked data allows threat actors to gain unauthorized access to personal, proprietary, and Intellectual Property (IP) data.
[caption id="attachment_19960" align="aligncenter" width="394"]
Threat actor’s post on the Telegram channel[/caption]
Analysis and Attribution
Information from Storumus Website and Telegram Channel
- CloudSEK researchers have observed that the Stormous ransomware group is usually interested in the source code and sensitive documents of their targets.
- Since 11 April 2022, Stormous ransomware group has been actively targeting Indian entities. Some of their recent victims include:
| Date |
Affected Entity |
Industry |
Data Breach Details |
| 11 April 2022 |
Delhi Heights School |
Education |
Breached data includes sensitive files and data posted on their onion site. |
| 11 April 2022 |
Success Neeti |
Service |
89 GB of data including financial data, employee data, organizational data, files, and documents. |
| 15 April 2022 |
Fycis Software for Nidhi Banking |
IT and Software |
Breached data includes database and source code. |
| 15 April 2022 |
Astus |
IT and Software |
Breached data includes database and source code. |
| 17 April 2022 |
First Floppy |
Rental |
Breached data contains source code. |
| 17 April 2022 |
Hugel Infra |
Telecommunication |
Breached data contains source code. |
- Additionally, Stormous ransomware group has released a list of Indian domains that could be their potential targets:
-
- http://jwfhr(.)com/indexSTM(.)html
|
-
- http://rsmps(.)in/indexSTM(.)html
|
-
- http://helpme(.)net(.)in/indexSTM(.)html
|
-
- http://universalkids(.)co(.)in/indexSTM(.)html
|
-
- http://allahabadnidhi(.)in/indexSTM(.)html
|
-
- http://sgpsdelhi(.)com/indexSTM(.)html
|
-
- http://daskumars(.)com/indexSTM(.)html
|
-
- http://indiacounty(.)com/indexSTM(.)html
|
-
- http://acms(.)manokamnaa(.)in/indexSTM(.)html
|
-
- http://vnpsnanakpura(.)in/indexSTM(.)html
|
-
- http://mapleapple(.)in/indexSTM(.)html
|
-
- http://sigssitamarhi(.)com/indexSTM(.)html
|
-
- https://svmfoundation(.)in/indexSTM(.)html
|
-
- http://gvips(.)co(.)in/indexSTM(.)html
|
-
- http://bbsitm(.)in/indexSTM(.)html
|
-
- http://macnnareladelhi(.)com/indexSTM(.)html
|
-
- http://besthost(.)co(.)in/indexSTM(.)html
|
-
- http://prgmotors(.)com/indexSTM(.)html
|
-
- http://krystalpay(.)com/indexSTM(.)html
|
-
- http://umakantjha(.)com/indexSTM(.)html
|
-
- http://avikalpa(.)in/indexSTM(.)html
|
-
- http://rebssports(.)com/indexSTM(.)html
|
-
- http://punchassociates(.)in/indexSTM(.)html
|
|
How Stormus Group Selects Victims
- The threat group conducts routine polls on their Telegram channel for subscribers, speculating on who their next target should be.
- Based on their latest poll, the group announced that First Floppy is their next victim. First Floppy is a rental goods and services company based in Delhi.
- They also claim to have compromised the source code and data of First Floppy.
- The operators have shared the data on their website.
Indian Entities Targeted by Stormous Group
- The group has targeted several Indian organizations in the past including:
| Date |
Company Name |
Location |
Breach Details |
| 10 Jan 2022 |
IDFC First Bank |
India |
Sensitive customer information such as passports and bank statements affected. |
| 16 Nov 2021 |
CCI (Cement Corporation of India) Limited |
India |
NA |
| 31 Jan 2022 |
Godrej |
India |
The group claimed that they breached seven regions of the company and demanded a ransom of USD 700,000. |
Strormous Group’s Upcoming Targets
- At the time of writing this report, CloudSEK researchers discovered that the threat group is plotting to attack five more organizations, and has hosted a poll for their subscribers, to vote and choose their next target. And 46 subscribers have participated in this latest poll so far.
[caption id="attachment_19962" align="aligncenter" width="348"]
Stormous ransomware group’s latest poll on the Telegram channel[/caption]
The Threat Actor
- CloudSEK researchers have noticed that the organizations that the Stormous group claims to have compromised, have been targeted by other groups in the past. Hence, the reliability of their claims cannot be verified.
- Stormous ransomware group’s Telegram channel has been tagged as ‘Scam’ and their Onion website is also down at the moment. Therefore, our researchers have not been able to gain access to samples that can substantiate their claims.
Source Rating
- The group has shared various databases and accesses in the past. However, the Stormous ransomware group is unreliable.
Hence,
- The reliability of the group can be rated Unreliable (E).
- The credibility of the advertisement can be rated Probably true (2).
- Giving overall source credibility of E2.
Indicators of Compromise
| MD5 |
| dd3f51f042c2a6aedc02866e96c08f04 |
9b63bfe7993f4b65c868b05d7f536506 |
| a6702587d940588f3fddc6d3143a1781 |
9589cebb076a8eb0a984c5f53c1bb729 |
| d9114965fe3c2b3b15f7c0872dd4cdd0 |
58db3daacef0eb37bd486fa23dbd67ac |
| 72cfd996957bde06a02b0adb2d66d8aa9c25bf37 |
e8b55d9aeff124df4008b0d372bf2f2d3e5e5ae7 |
| 9c622b39521183dd71ed2a174031ca159beb6479 |
a90921c182cb90807102ef402719ee8060910345 |
| b3098f99db1f80e27aec0c9a5a625aedaab5899a |
78d28072fdabf0b5aac5e8f337dc768d07b63e1e |
| 7FBB5A2E46FACD3EE0C945F324414210C2199FFB |
DAE7FAA1725DB8192AD711D759B13F8195A18821 |
| DEF0A554F19134A5DB3D2AE949F9500CE3DD2CE |
3814eec8c45fc4313a9c7f65ce882a7899cf0405 |
| 14BEEB0FC5C8C887D0435009730B6370BF94BC93 |
B49FAD3E5E6787E96373AC37ED58083F7572D72A |
| 55318328511961EC339DFDDCA0443068DCCE9CD2 |
5A452E7248A8D3745EF53CF2B1F3D7D8479546B9 |
| E338A57C35A4732BBB5F738E2387C1671A002BCB |
|
| IPv4 |
| 66[.]96[.]141[.]50 |
178[.]62[.]193[.]125 |
| 69[.]172[.]201[.]208 |
69[.]195[.]129[.]72 |
| 193[.]143[.]0[.]0/44 |
98[.]136[.]48[.]105 (No malicious records) |
| 98[.]136[.]48[.]113 (No malicious records) |
98[.]136[.]48[.]115 (No malicious records) |
| 98[.]136[.]48[.]81 (No malicious records) |
98[.]136[.]48[.]102 (No malicious records) |
| 98[.]136[.]48[.]77 (No malicious records) |
| Domains |
| hxxp://200[.]106[.]145[.]122 |
hxxp://70[.]85[.]221[.]20 |
| hxxp://200[.]74[.]244[.]118 |
hxxp://70[.]85[.]221[.]10 |
Impact & Mitigation
| Impact |
Mitigation |
- The published source codes could allow access to victims’ networks.
- If the data leaks expose Personally Identifiable Information (PII), it could enable threat actors to orchestrate social engineering schemes, phishing attacks, and identity theft.
- Exposed IP addresses and login credentials can lead to potential account takeovers.
- The exposed confidential details could reveal business practices and intellectual property.
- Since password reuse is a common practice, actors could leverage exposed credentials to access other accounts of users.
|
- Reset compromised user login credentials and implement a strong password policy for all user accounts.
- Check for possible workarounds and patches while keeping the ports open.
- Patch all vulnerable and exploitable endpoints.
- Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers.
- Use MFA (multi-factor authentication) across logins.
|
References
Appendix
[caption id="attachment_19963" align="aligncenter" width="303"]
Threat actor’s post on Telegram channel advertising multiple login accesses[/caption]
[caption id="attachment_19964" align="aligncenter" width="748"]
Poll hosted by the Stormous ransomware group[/caption]
