Operator dossier

Stormous is a ransomware operator currently active on public leak sites. Darkfield has indexed 220 public victims claimed by this operator between March 22, 2022 and May 13, 2026. Stormous is a relatively new ransomware group that emerged in March 2022, operating primarily with financial motivations and has claimed responsibility for attacks against at least 165 victims across multiple countries and sectors. The group's country of origin remains unclear from publicly documented sources, though their operational patterns suggest they may operate as an independent entity rather than a established ransomware-as-a-service model. Limited public documentation from major security firms indicates the group employs common ransomware tactics, though specific details about their initial access vectors, encryption methods, and data exfiltration practices have not been extensively detailed in reports from CISA, FBI, or major threat intelligence providers. Their targeting appears geographically diverse with a focus on Spain, the United States, France, UAE, and Brazil, while showing particular interest in technology, hospitality and tourism, government, and business services sectors, though many of their victims span unspecified industries. As of current reporting, Stormous appears to remain an active threat, though the limited public documentation suggests they operate as a lower-tier ransomware group compared to more prominent families that receive extensive coverage from major security research organizations.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Stormous

220 victims indexed · first seen 4 years ago · last activity 7 days ago

220

Victims indexed

#37 of 348 tracked operators

4y 2m

Active period

Mar 2022 → May 2026

Countries hit

top Spain · 11

At a glance

Status: active
First seen: 4 years ago
Last activity: 7 days ago
Onion sites: 9 known endpoints
Primary sector: Not Found · 14 hits

About

Stormous is a relatively new ransomware group that emerged in March 2022, operating primarily with financial motivations and has claimed responsibility for attacks against at least 165 victims across multiple countries and sectors. The group's country of origin remains unclear from publicly documented sources, though their operational patterns suggest they may operate as an independent entity rather than a established ransomware-as-a-service model. Limited public documentation from major security firms indicates the group employs common ransomware tactics, though specific details about their initial access vectors, encryption methods, and data exfiltration practices have not been extensively detailed in reports from CISA, FBI, or major threat intelligence providers. Their targeting appears geographically diverse with a focus on Spain, the United States, France, UAE, and Brazil, while showing particular interest in technology, hospitality and tourism, government, and business services sectors, though many of their victims span unspecified industries. As of current reporting, Stormous appears to remain an active threat, though the limited public documentation suggests they operate as a lower-tier ransomware group compared to more prominent families that receive extensive coverage from major security research organizations.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/stormous

Timeline

24 months

2023-03-01T00:00:00+00:002025-12-01T00:00:00+00:00

Top countries

🇪🇸 Spain

🇺🇸 United States

🇫🇷 France

🇦🇪 UAE

🇧🇷 Brazil

🇮🇩 Indonesia

🇩🇪 Germany

🇬🇧 United Kingdom

Spain dossier →United States dossier →France dossier →UAE dossier →

Top sectors

Not Found

Technology

Hospitality and Tourism

Government

Business Services

Healthcare

Manufacturing

Public Sector

Not Found dossier →Technology dossier →Hospitality and Tourism dossier →Government dossier →

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

T1190Exploit Public-Facing Application
T1566Phishing
T1204User Execution
T1027Obfuscated Files or Information
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

9 known

http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion
http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion/datashop.html
http://6sf5xa7eso3e3vk46i5tpcqhnlayczztj7zjktzaztlotyy75zs6j7qd.onion
http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion
http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion/stm.html
http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion
http://ransekgbpijp56bflufgxptwn5hej2rztx423v6sim2zrzz7xetnr2qd.onion
http://stmxylixiz4atpmkspvhkym4xccjvpcv3v67uh3dze7xwwhtnz4faxid.onion
http://stmxylixiz4atpmkspvhkym4xccjvpcv3v67uh3dze7xwwhtnz4faxid.onion/10fes-e87d-9987f-96s-zzd6.html

Source

Updated 7 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.