Stormous Ransomware Group Runs Opinion Polls, Leaks Intellectual Property of Indian Companies

Summary

CloudSEK team has identified Stormous ransomware campaigns targeting multiple organizations globally. The threat group is financially motivated and their latest chain of attacks has been directed at Indian entities as well.
 
Category: Adversary Intelligence Industry: Multiple Region: India Source*: E2

Executive Summary

  • CloudSEK’s Threat Intelligence team has identified Stormous ransomware campaigns targeting multiple organizations globally. The threat group is financially motivated and their latest chain of attacks has been directed at Indian entities as well.
  • CloudSEK’s Stormous ransomware attribution report that was published earlier, identifies Stormous ransomware as an Arabic group that operates on Telegram and on their Onion site.
  • The leaked data allows threat actors to gain unauthorized access to personal, proprietary, and Intellectual Property (IP) data.
Threat actor’s post on the Telegram channel
Threat actor’s post on the Telegram channel
 

Analysis and Attribution

Information from Storumus Website and Telegram Channel

  • CloudSEK researchers have observed that the Stormous ransomware group is usually interested in the source code and sensitive documents of their targets.
  • Since 11 April 2022, Stormous ransomware group has been actively targeting Indian entities. Some of their recent victims include:
Date Affected Entity Industry Data Breach Details
11 April 2022 Delhi Heights School Education Breached data includes sensitive files and data posted on their onion site.
11 April 2022 Success Neeti Service 89 GB of data including financial data, employee data, organizational data, files, and documents.
15 April 2022 Fycis Software for Nidhi Banking IT and Software Breached data includes database and source code.
15 April 2022 Astus IT and Software Breached data includes database and source code.
17 April 2022 First Floppy Rental Breached data contains source code.
17 April 2022 Hugel Infra Telecommunication Breached data contains source code.
  • Additionally, Stormous ransomware group has released a list of Indian domains that could be their potential targets:
    • http://jwfhr(.)com/indexSTM(.)html
    • http://rsmps(.)in/indexSTM(.)html
    • http://helpme(.)net(.)in/indexSTM(.)html
    • http://universalkids(.)co(.)in/indexSTM(.)html
    • http://allahabadnidhi(.)in/indexSTM(.)html
    • http://sgpsdelhi(.)com/indexSTM(.)html
    • http://daskumars(.)com/indexSTM(.)html
    • http://indiacounty(.)com/indexSTM(.)html
    • http://acms(.)manokamnaa(.)in/indexSTM(.)html
    • http://vnpsnanakpura(.)in/indexSTM(.)html
    • http://mapleapple(.)in/indexSTM(.)html
    • http://sigssitamarhi(.)com/indexSTM(.)html
    • https://svmfoundation(.)in/indexSTM(.)html
    • http://gvips(.)co(.)in/indexSTM(.)html
    • http://bbsitm(.)in/indexSTM(.)html
    • http://macnnareladelhi(.)com/indexSTM(.)html
    • http://besthost(.)co(.)in/indexSTM(.)html
    • http://prgmotors(.)com/indexSTM(.)html
    • http://krystalpay(.)com/indexSTM(.)html
    • http://umakantjha(.)com/indexSTM(.)html
    • http://avikalpa(.)in/indexSTM(.)html
    • http://rebssports(.)com/indexSTM(.)html
    • http://punchassociates(.)in/indexSTM(.)html

How Stormus Group Selects Victims

  • The threat group conducts routine polls on their Telegram channel for subscribers, speculating on who their next target should be.
  • Based on their latest poll, the group announced that First Floppy is their next victim. First Floppy is a rental goods and services company based in Delhi.
  • They also claim to have compromised the source code and data of First Floppy.
  • The operators have shared the data on their website.

Indian Entities Targeted by Stormous Group

  • The group has targeted several Indian organizations in the past including:
Date Company Name Location Breach Details
10 Jan 2022 IDFC First Bank India Sensitive customer information such as passports and bank statements affected.
16 Nov 2021 CCI (Cement Corporation of India) Limited India NA
31 Jan 2022 Godrej India The group claimed that they breached seven regions of the company and demanded a ransom of USD 700,000.

Strormous Group’s Upcoming Targets

  • At the time of writing this report, CloudSEK researchers discovered that the threat group is plotting to attack five more organizations, and has hosted a poll for their subscribers, to vote and choose their next target. And 46 subscribers have participated in this latest poll so far.
Stormous ransomware group’s latest poll on the Telegram channel
Stormous ransomware group’s latest poll on the Telegram channel

The Threat Actor

  • CloudSEK researchers have noticed that the organizations that the Stormous group claims to have compromised, have been targeted by other groups in the past. Hence, the reliability of their claims cannot be verified.
  • Stormous ransomware group’s Telegram channel has been tagged as ‘Scam’ and their Onion website is also down at the moment. Therefore, our researchers have not been able to gain access to samples that can substantiate their claims.

Source Rating

  • The group has shared various databases and accesses in the past. However, the Stormous ransomware group is unreliable.
Hence,
  • The reliability of the group can be rated Unreliable (E).
  • The credibility of the advertisement can be rated Probably true (2).
  • Giving overall source credibility of E2.

Indicators of Compromise

MD5
dd3f51f042c2a6aedc02866e96c08f04 9b63bfe7993f4b65c868b05d7f536506
a6702587d940588f3fddc6d3143a1781 9589cebb076a8eb0a984c5f53c1bb729
d9114965fe3c2b3b15f7c0872dd4cdd0 58db3daacef0eb37bd486fa23dbd67ac
72cfd996957bde06a02b0adb2d66d8aa9c25bf37 e8b55d9aeff124df4008b0d372bf2f2d3e5e5ae7
9c622b39521183dd71ed2a174031ca159beb6479 a90921c182cb90807102ef402719ee8060910345
b3098f99db1f80e27aec0c9a5a625aedaab5899a 78d28072fdabf0b5aac5e8f337dc768d07b63e1e
7FBB5A2E46FACD3EE0C945F324414210C2199FFB DAE7FAA1725DB8192AD711D759B13F8195A18821
DEF0A554F19134A5DB3D2AE949F9500CE3DD2CE 3814eec8c45fc4313a9c7f65ce882a7899cf0405
14BEEB0FC5C8C887D0435009730B6370BF94BC93 B49FAD3E5E6787E96373AC37ED58083F7572D72A
55318328511961EC339DFDDCA0443068DCCE9CD2 5A452E7248A8D3745EF53CF2B1F3D7D8479546B9
E338A57C35A4732BBB5F738E2387C1671A002BCB
IPv4
66[.]96[.]141[.]50 178[.]62[.]193[.]125
69[.]172[.]201[.]208 69[.]195[.]129[.]72
193[.]143[.]0[.]0/44 98[.]136[.]48[.]105 (No malicious records)
98[.]136[.]48[.]113 (No malicious records) 98[.]136[.]48[.]115 (No malicious records)
98[.]136[.]48[.]81 (No malicious records) 98[.]136[.]48[.]102 (No malicious records)
98[.]136[.]48[.]77 (No malicious records)
Domains
hxxp://200[.]106[.]145[.]122 hxxp://70[.]85[.]221[.]20
hxxp://200[.]74[.]244[.]118 hxxp://70[.]85[.]221[.]10

Impact & Mitigation

Impact Mitigation
  • The published source codes could allow access to victims’ networks.
  • If the data leaks expose Personally Identifiable Information (PII), it could enable threat actors to orchestrate social engineering schemes, phishing attacks, and identity theft.
  • Exposed IP addresses and login credentials can lead to potential account takeovers.
  • The exposed confidential details could reveal business practices and intellectual property.
  • Since password reuse is a common practice, actors could leverage exposed credentials to access other accounts of users.
  • Reset compromised user login credentials and implement a strong password policy for all user accounts.
  • Check for possible workarounds and patches while keeping the ports open.
  • Patch all vulnerable and exploitable endpoints.
  • Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers.
  • Use MFA (multi-factor authentication) across logins.

References

Appendix

Threat actor’s post on Telegram channel advertising multiple login accesses
Threat actor’s post on Telegram channel advertising multiple login accesses
 
Poll hosted by the Stormous ransomware group
Poll hosted by the Stormous ransomware group
     

Table of Contents

Request an easy and customized demo for free