Stormous

Malware

⚠️ Overview

Stormous is a ransomware-as-a-service (RaaS) operation first observed in April 2022 by Trend Micro. The group, called Stormous Team, primarily targets Middle Eastern organizations, including educational and government entities in Egypt and Syria. Stormous employs double extortion, encrypting files and exfiltrating data before demanding payment.

🔧 Technical Capabilities

Stormous is written in C++ and uses ChaCha20 encryption, appending .stormous to encrypted files. Initial access is gained via phishing emails with malicious attachments, as reported by BleepingComputer. The malware communicates over HTTPS with a Tor-based C2 infrastructure and publishes stolen data on a leak site. Persistence is achieved through scheduled tasks. Evasion techniques include disabling Windows Defender via PowerShell and using a custom crypter to bypass antivirus engines, according to Trend Micro's 2022 analysis. MITRE ATT&CK techniques observed include T1486 (Data Encrypted for Impact), T1566 (Phishing), and T1490 (Inhibit System Recovery).

📜 History & Notable Incidents

Stormous first appeared on April 6, 2022, claiming an attack on the Egyptian Ministry of Education, leaking 400 GB of data per The Record. In June 2022, it targeted the Syrian Ministry of Education, exfiltrating 500 GB. The group also attacked a Lebanese bank in July 2022 and leaked data from a Turkish education platform in August 2022. No arrests have been reported.

🔍 Detection Indicators

Indicators include ransom note "READ_IT.txt", encrypted files with .stormous extension, and network connections to .onion leak domains. Registry keys under SOFTWAREStormous and a mutex named StormousMutex are artifacts. Behavioral signs include deletion of volume shadow copies via vssadmin.exe and PowerShell commands disabling security tools. User-Agent strings used in C2 communication have been documented by threat intelligence reports.

☠️ Risk & Impact

Stormous causes data exfiltration and encryption, leading to operational downtime and financial losses. Affected sectors include education, government, and healthcare in the Middle East. Extortion demands range from $50,000 to $500,000, with data leaks harming reputation.

🛡️ Mitigation

Defenses include email filtering, offline backups, and endpoint detection rules for volume shadow copy deletion and PowerShell abuse. Apply least privilege and application allowlisting. Network monitoring for Tor traffic is also recommended.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.