Ransomware victim disclosure
← All victimsFANASA
listed as FANASA.COM · Claimed by Stormous · listed 4 months ago
Status timeline
- ListedMar 28, 2026
- Data leakeddate unknown
At a glance
- Group
- Stormous
- Status
- Data leaked
- Country
- Mexico
- Sector
- Business Services
- Listed on leak site
- Mar 28, 2026
About the victim
AI dossier — public-source company profileFANASA (fanasa.com) is a Mexican company operating in the business services and/or wholesale distribution sector. Based on the leak post references to CFDI/XML fiscal documents, RFC taxpayer identification numbers, and internal corporate documentation, the company appears to be a mid-sized Mexican enterprise engaged in commercial trade or distribution activities. No further details are available from the public site.
- Industry
- Wholesale Distribution / Business Services
Attack summary
Severity: high — Confirmed exfiltration of significant volumes of business and personal data including PII, fiscal/tax identifiers (RFC), financial records, and internal corporate documentation from a Mexican company, with data actively offered for sale; however, no evidence of regulated medical or government data elevates this to critical.The Stormous ransomware group claims to have exfiltrated approximately half of FANASA's data, including PII, electronic fiscal documents (CFDI/XML), financial transaction records, commercial invoices, taxpayer identification numbers (RFC), and client/vendor databases, with the full dataset offered for sale.
Data the group says was taken
AI dossier — extracted from the leak post- Personally Identifiable Information (PII)
- Electronic Fiscal Documents (CFDI/XML)
- Financial Transaction Records
- Commercial Invoices & Billing Data
- Taxpayer Identification Numbers (RFC)
- Client & Vendor Database
- Internal Corporate Documentation
- Administrative/System Files
- Operational Records
- Engineering Drawings & Schematics
- Project Planning & Execution Documents
- Email/Communication Data
- Application/Database Data (AYEAPLICACIONES, BDATOSFITCLOD)
- Software/Installation Files (AUTOBOU)
- Personal/Miscellaneous Files
What the group claims
Half the data has been extracted including PII, Electronic Fiscal Documents (CFDI/XML), Financial Transaction Records, Commercial Invoices & Billing Data, Taxpayer Identification Numbers (RFC), Client & Vendor Database, Internal Corporate Documentation, administrative/system files, operational records, engineering drawings, schematics, project planning documents, email/communication data, system/application data
The leak post
captured from the group's siteInitial Access Brokers - Long-Term Collaboration We are currently seeking reliable Initial Access Brokers for long-term collaboration. ** Please do not waste time attempting complex exploit development or direct EDR confrontation. We are interested exclusively in stable corporate access. Local user access is acceptable. * Small to mid-sized enterprises: fixed payment starting at * Large enterprises: revenue share from final settlement FANASA.COM Half the data has been extracted Personally Identifiable Information (PII), Electronic Fiscal Documents (CFDI/XML), Financial Transaction Records, Commercial Invoices & Billing Data, Taxpayer Identification Numbers (RFC), Client & Vendor Database/Internal Corporate Documentation Administrative/System Files/ADMIN, DOAS, operational records, engineering drawings, schematics... Project Planning & Execution Documents... (Folders/Files) Email/Communication/System/Application Data AYEAPLICACIONES database/Log Data BDATOSFITCLOD, Software/Installation/Program Files AUTOBOU, Personal/Miscellaneous Files AvenaCubana All of this data is offered for sale (user information: email, phone number, full name, date of birth / payment and bookin…
Data the group says was taken
- PII
- financial
- emails
- contracts
Sources
- Victim sitefanasa.com
- Leak posthttp://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion
Source
Indexed 4 months agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

