| Category: Adversary Intelligence | Industry: Multiple | Region: India | Source*: E2 |
|---|
Executive Summary
- CloudSEK’s Threat Intelligence team has identified Stormous ransomware campaigns targeting multiple organizations globally. The threat group is financially motivated and their latest chain of attacks has been directed at Indian entities as well.
- CloudSEK’s Stormous ransomware attribution report that was published earlier, identifies Stormous ransomware as an Arabic group that operates on Telegram and on their Onion site.
- The leaked data allows threat actors to gain unauthorized access to personal, proprietary, and Intellectual Property (IP) data.
Analysis and Attribution
Information from Storumus Website and Telegram Channel
- CloudSEK researchers have observed that the Stormous ransomware group is usually interested in the source code and sensitive documents of their targets.
- Since 11 April 2022, Stormous ransomware group has been actively targeting Indian entities. Some of their recent victims include:
| Date | Affected Entity | Industry | Data Breach Details |
|---|---|---|---|
| 11 April 2022 | Delhi Heights School | Education | Breached data includes sensitive files and data posted on their onion site. |
| 11 April 2022 | Success Neeti | Service | 89 GB of data including financial data, employee data, organizational data, files, and documents. |
| 15 April 2022 | Fycis Software for Nidhi Banking | IT and Software | Breached data includes database and source code. |
| 15 April 2022 | Astus | IT and Software | Breached data includes database and source code. |
| 17 April 2022 | First Floppy | Rental | Breached data contains source code. |
| 17 April 2022 | Hugel Infra | Telecommunication | Breached data contains source code. |
- Additionally, Stormous ransomware group has released a list of Indian domains that could be their potential targets:
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
How Stormus Group Selects Victims
- The threat group conducts routine polls on their Telegram channel for subscribers, speculating on who their next target should be.
- Based on their latest poll, the group announced that First Floppy is their next victim. First Floppy is a rental goods and services company based in Delhi.
- They also claim to have compromised the source code and data of First Floppy.
- The operators have shared the data on their website.
Indian Entities Targeted by Stormous Group
- The group has targeted several Indian organizations in the past including:
| Date | Company Name | Location | Breach Details |
|---|---|---|---|
| 10 Jan 2022 | IDFC First Bank | India | Sensitive customer information such as passports and bank statements affected. |
| 16 Nov 2021 | CCI (Cement Corporation of India) Limited | India | NA |
| 31 Jan 2022 | Godrej | India | The group claimed that they breached seven regions of the company and demanded a ransom of USD 700,000. |
Strormous Group’s Upcoming Targets
- At the time of writing this report, CloudSEK researchers discovered that the threat group is plotting to attack five more organizations, and has hosted a poll for their subscribers, to vote and choose their next target. And 46 subscribers have participated in this latest poll so far.
The Threat Actor
- CloudSEK researchers have noticed that the organizations that the Stormous group claims to have compromised, have been targeted by other groups in the past. Hence, the reliability of their claims cannot be verified.
- Stormous ransomware group’s Telegram channel has been tagged as ‘Scam’ and their Onion website is also down at the moment. Therefore, our researchers have not been able to gain access to samples that can substantiate their claims.
Source Rating
- The group has shared various databases and accesses in the past. However, the Stormous ransomware group is unreliable.
- The reliability of the group can be rated Unreliable (E).
- The credibility of the advertisement can be rated Probably true (2).
- Giving overall source credibility of E2.
Indicators of Compromise
| MD5 | |
|---|---|
| dd3f51f042c2a6aedc02866e96c08f04 | 9b63bfe7993f4b65c868b05d7f536506 |
| a6702587d940588f3fddc6d3143a1781 | 9589cebb076a8eb0a984c5f53c1bb729 |
| d9114965fe3c2b3b15f7c0872dd4cdd0 | 58db3daacef0eb37bd486fa23dbd67ac |
| 72cfd996957bde06a02b0adb2d66d8aa9c25bf37 | e8b55d9aeff124df4008b0d372bf2f2d3e5e5ae7 |
| 9c622b39521183dd71ed2a174031ca159beb6479 | a90921c182cb90807102ef402719ee8060910345 |
| b3098f99db1f80e27aec0c9a5a625aedaab5899a | 78d28072fdabf0b5aac5e8f337dc768d07b63e1e |
| 7FBB5A2E46FACD3EE0C945F324414210C2199FFB | DAE7FAA1725DB8192AD711D759B13F8195A18821 |
| DEF0A554F19134A5DB3D2AE949F9500CE3DD2CE | 3814eec8c45fc4313a9c7f65ce882a7899cf0405 |
| 14BEEB0FC5C8C887D0435009730B6370BF94BC93 | B49FAD3E5E6787E96373AC37ED58083F7572D72A |
| 55318328511961EC339DFDDCA0443068DCCE9CD2 | 5A452E7248A8D3745EF53CF2B1F3D7D8479546B9 |
| E338A57C35A4732BBB5F738E2387C1671A002BCB | |
| IPv4 | |
|---|---|
| 66[.]96[.]141[.]50 | 178[.]62[.]193[.]125 |
| 69[.]172[.]201[.]208 | 69[.]195[.]129[.]72 |
| 193[.]143[.]0[.]0/44 | 98[.]136[.]48[.]105 (No malicious records) |
| 98[.]136[.]48[.]113 (No malicious records) | 98[.]136[.]48[.]115 (No malicious records) |
| 98[.]136[.]48[.]81 (No malicious records) | 98[.]136[.]48[.]102 (No malicious records) |
| 98[.]136[.]48[.]77 (No malicious records) | |
| Domains | |
| hxxp://200[.]106[.]145[.]122 | hxxp://70[.]85[.]221[.]20 |
| hxxp://200[.]74[.]244[.]118 | hxxp://70[.]85[.]221[.]10 |
Impact & Mitigation
| Impact | Mitigation |
|---|---|
|
|
References
- *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability
- #https://en.wikipedia.org/wiki/Traffic_Light_Protocol
Appendix
