Stormous

Stormous is a cybercrime and ransomware group operating a leak-site and affiliate-oriented ecosystem. The content describes Stormous infrastructure spanning public victim blogs, data distribution nodes, access-controlled panels, and restricted coordination environments on Tor, with repeated use of a TOX contact identifier and Telegram channels for communications, onboarding, rules, and victim publication. Investigators observed Stormous-branded onion services including "Stormous.V4 BLOG" and "Stormous V5," as well as earlier infrastructure offering paid access, free access, a PYV service for submitting victims, affiliate rules, and portal interfaces. Telegram channels tied to the group advertised tiered participation models, including paid access with direct control-panel access for victim management and negotiations, and free access through existing affiliates. The group published operational guidelines covering verification of attacks, victim listing and removal, and ransom negotiations. The content assesses Stormous as part of a broader shared cybercrime ecosystem that became operationally aligned with RansomedVC and later GhostLocker, rather than a simple direct rebrand. A Telegram channel associated with this ecosystem underwent multiple name changes including Ransomed News, Ransomed_vc, Ransomed.vc Channel, Ražnatović Channel, Stormous.X Store (V3.0), and Stm.X | GhostLocker variants, while retaining the same TOX identifier. Forum activity by users such as SuperNova and crowSTM also referenced Stormous-linked infrastructure and communications. Stormous has been linked in the content to extortion and data-theft claims against victims including North County HealthCare, where the group claimed theft and publication of data from 600,000 patients. The group was also reported to have breached France Travail using automated credential stuffing and exploitation of a backend PDF generation API to download victim documents. In May 2025 reporting, Stormous was described as having revamped its data leak site, increased activity, posted information on hotel and resort victims, and claimed an attack on a German car manufacturer without providing supporting evidence. The content also states that Dragon RaaS emerged in 2024 from the Stormous group and focused on smaller, less secure organizations. Stormous was named as part of an August 2023 alliance called the "Five Families," alongside SiegedSec, Ghost Security, BlackForums, and ThreatSec.