Flash Report: Increased Stormous Ransomware Claims Made Against Previous Victims

ZeroFox intelligence researchers have observed a significant increase in claims made by Stormous alleging successful ransomware deployments against victims since the start of 2022. The group’s claims typically implicate victims of previous ransomware attacks where the victim’s data has been leaked. This sort of activity is known as a scavenger operation, though as of February 18, 2022, ZeroFox has been unable to verify any of the claims made by Stormous. Stormous operators are most likely to be financially—rather than politically—motivated and seeking to raise the group’s profile as quickly as possible. Ransomware has become one of the main drivers of data breaches, with extorted data from victims that fail to pay ransom demands offered for sale via underground markets.

Analyst Commentary

ZeroFox intelligence researchers have observed a significant increase in claims made by Stormous alleging successful ransomware deployments against victims since the start of 2022. Notably, operators have typically alleged successful ransomware deployments against victims that have had their data leaked on dark web marketplaces. ZeroFox has identified claims made by Stormous as early as July 2021; however, none of Stormous’ intrusion claims have been verified to date. There is no indication that Stormous operators are working in direct collaboration with other ransomware groups. Although the manufacturing sector has been most frequently targeted by the group, organizations of all sizes and sectors are featured on the group’s hitlist, including one of India’s largest business conglomerates and a Japanese video game manufacturer. Indiscriminate targeting is likely indicative of a financially—rather than politically—motivated operation that is attempting to raise its profile as quickly as possible and achieve a quick payday. Stormous ransomware notes are written in Arabic.

The emergence of potential scavenger operations like this underpins ZeroFox’s assessment that attacks beget further attacks. Owing to the near-ubiquitous use of double extortion tactics, ransomware is one of the main drivers of data breaches, with extorted data from victims that fail to pay ransom demands offered for sale via underground markets. As these markets become increasingly professionalized, initial data breaches are likely to be leveraged for subsequent extortion attempts. Security measures must be implemented not only to prevent initial intrusion but also to ensure effective post-intrusion cleanup in order to mitigate the risk of subsequent compromise.

Recommendations

• Back up critical data regularly, including password-protected backup copies kept offline.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, or the cloud).
• Ensure proper network segmentation.
• Patch disclosed vulnerabilities with updated software versions as quickly as practical.
• Disable PowerShell wherever possible to limit the possibility of operators employing lateral movement modules.
• Never download email attachments from unknown senders or click links from untrusted sources. Provide user training programs to fight against phishing or social engineering attacks used to obtain critical information that can lead to system compromise.
• Enable multi-factor authentication wherever possible.
• Disable unused remote access/RDP ports and monitor remote access/RDP logs.
• Leverage threat intelligence services and maintain situational awareness of Tactics, Techniques, and Procedures related to ransomware groups.

Please note that this information is current as of the intelligence collection conclusion at 10:00 AM EST on February 18, 2022.