Skip to main content

Operator dossier

Stormous is a ransomware operator currently active on public leak sites. Darkfield has indexed 245 public victims claimed by this operator between March 22, 2022 and July 1, 2026. Stormous is a relatively new ransomware group that emerged in March 2022, operating primarily with financial motivations and has claimed responsibility for attacks against at least 165 victims across multiple countries and sectors. The group's country of origin remains unclear from publicly documented sources, though their operational patterns suggest they may operate as an independent entity rather than a established ransomware-as-a-service model. Limited public documentation from major security firms indicates the group employs common ransomware tactics, though specific details about their initial access vectors, encryption methods, and data exfiltration practices have not been extensively detailed in reports from CISA, FBI, or major threat intelligence providers. Their targeting appears geographically diverse with a focus on Spain, the United States, France, UAE, and Brazil, while showing particular interest in technology, hospitality and tourism, government, and business services sectors, though many of their victims span unspecified industries. As of current reporting, Stormous appears to remain an active threat, though the limited public documentation suggests they operate as a lower-tier ransomware group compared to more prominent families that receive extensive coverage from major security research organizations.

Most-targeted sectors

Most-affected countries

Recent disclosures by Stormous

Most recent 150 of 245 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Stormous

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Stormous

245 victims indexed · first seen 4 years ago · last activity 14 days ago

245
Victims indexed
#36 of 364 tracked operators
4y 4m
Active period
Mar 2022 → Jul 2026
30
Countries hit
top United States · 21

At a glance

Status
active
First seen
4 years ago
Last activity
14 days ago
Onion sites
9 known endpoints
Primary sector
Technology · 30 hits

About

Stormous is a relatively new ransomware group that emerged in March 2022, operating primarily with financial motivations and has claimed responsibility for attacks against at least 165 victims across multiple countries and sectors. The group's country of origin remains unclear from publicly documented sources, though their operational patterns suggest they may operate as an independent entity rather than a established ransomware-as-a-service model. Limited public documentation from major security firms indicates the group employs common ransomware tactics, though specific details about their initial access vectors, encryption methods, and data exfiltration practices have not been extensively detailed in reports from CISA, FBI, or major threat intelligence providers. Their targeting appears geographically diverse with a focus on Spain, the United States, France, UAE, and Brazil, while showing particular interest in technology, hospitality and tourism, government, and business services sectors, though many of their victims span unspecified industries. As of current reporting, Stormous appears to remain an active threat, though the limited public documentation suggests they operate as a lower-tier ransomware group compared to more prominent families that receive extensive coverage from major security research organizations.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

24 months
2023-08-01T00:00:00+00:00 · 52023-09-01T00:00:00+00:00 · 42023-12-01T00:00:00+00:00 · 82024-01-01T00:00:00+00:00 · 22024-02-01T00:00:00+00:00 · 92024-03-01T00:00:00+00:00 · 102024-04-01T00:00:00+00:00 · 12024-05-01T00:00:00+00:00 · 62024-07-01T00:00:00+00:00 · 22024-08-01T00:00:00+00:00 · 12024-09-01T00:00:00+00:00 · 22024-10-01T00:00:00+00:00 · 102024-11-01T00:00:00+00:00 · 22024-12-01T00:00:00+00:00 · 12025-02-01T00:00:00+00:00 · 22025-05-01T00:00:00+00:00 · 162025-06-01T00:00:00+00:00 · 62025-07-01T00:00:00+00:00 · 12025-10-01T00:00:00+00:00 · 72025-11-01T00:00:00+00:00 · 42025-12-01T00:00:00+00:00 · 42026-03-01T00:00:00+00:00 · 92026-05-01T00:00:00+00:00 · 472026-06-01T00:00:00+00:00 · 5
2023-08-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇺🇸 United States
21
🇫🇷 France
12
🇪🇸 Spain
12
🇦🇪 UAE
8
🇮🇳 India
8
🇬🇧 United Kingdom
8
🇧🇷 Brazil
7
🇬🇧 United Kingdom
7

Top sectors

Technology
30
Business Services
21
Hospitality and Tourism
18
Manufacturing
13
Healthcare
10
Financial Services
10
Education
10
Government
9

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1566Phishing
  • T1204User Execution
  • T1027Obfuscated Files or Information
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

9 known
  • http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion
  • http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion/datashop.html
  • http://6sf5xa7eso3e3vk46i5tpcqhnlayczztj7zjktzaztlotyy75zs6j7qd.onion
  • http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion
  • http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion/stm.html
  • http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion
  • http://ransekgbpijp56bflufgxptwn5hej2rztx423v6sim2zrzz7xetnr2qd.onion
  • http://stmxylixiz4atpmkspvhkym4xccjvpcv3v67uh3dze7xwwhtnz4faxid.onion
  • http://stmxylixiz4atpmkspvhkym4xccjvpcv3v67uh3dze7xwwhtnz4faxid.onion/10fes-e87d-9987f-96s-zzd6.html

Source

Updated 14 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Stormous posts a victim.

Add Stormous to your watchlist — Pro pings you within 5 minutes of any new Stormous leak-site post, Telegram callout, or affiliate-rebrand inference.