Back to Intelligence

STORMOUS Ransomware Gang: Global Surge in Consumer Services & Manufacturing — Critical CVE Exploitation

SA
Security Arsenal Team
June 28, 2026
7 min read

Date: 2026-06-28
Analyst: Security Arsenal Threat Intel Unit

Threat Actor Profile — STORMOUS

  • Known Aliases: Stormous, Stormous Gang.
  • Operational Model: Primarily a closed-group operation with sporadic "hacktivist" claims, but currently driven by financial extortion. They operate a custom leak site on the dark web.
  • Ransom Demands: Variable; typically demands range from $500,000 to $5 million depending on victim revenue, demanding payment in Monero (XMR) or Bitcoin (BTC).
  • Initial Access Vectors: Historically reliant on large-scale phishing campaigns and exploiting exposed VPN services. Recent intelligence indicates a shift toward exploiting critical perimeter vulnerabilities (Firewalls, Remote Management Tools).
  • Tactics: Double Extortion. They encrypt systems and exfiltrate sensitive data. If negotiations fail or stall, they publish "Full Data Dumps" for free, as seen in the current batch of victims.
  • Dwell Time: Average 4–7 days. Stormous actors move quickly to exfiltrate data via command-line tools (e.g., Rclone) before detonating the encryption payload.

Current Campaign Analysis

Targeted Sectors

The latest campaign (last 100 postings) shows a distinct pivot toward Consumer Services (Retail) and Manufacturing. Notably, the "Energy" and "Technology" sectors have also been impacted, likely due to supply chain dependencies or shared remote access infrastructure.

  • Consumer Services: 40% of recent victims (e.g., lorenzoni-store.com, montechiaro-store.com, monoprix.tn).
  • Manufacturing: 20% (e.g., HIGUCHI USA, INC).
  • Energy: 10% (e.g., eogb.co.uk).

Geographic Concentration

Stormous is operating globally with no specific regional containment, targeting:

  • Primary: Japan (JP), United States (US), Great Britain (GB).
  • Secondary: Italy (IT), Tunisia (TN), Mexico (MX).

Victim Profile & Escalation

  • Company Size: Targeting appears to focus on mid-market enterprises ($50M - $500M revenue) with mature digital footprints but potentially fragmented security postures across international subsidiaries.
  • Escalation Pattern: A disturbing pattern has emerged where 4 victims (maglificioliliana.com, lorenzoni-store.com, montechiaro-store.com, impulso-store.com) were initially posted on 2026-06-24 and updated on 2026-06-28 with "UPDATE-FULL DATA DUMP FREE PART1". This indicates zero tolerance for negotiation delays and an aggressive move to damage brand reputation.

Initial Access & CVE Correlation

Based on the CISA Known Exploited Vulnerabilities (KEV) catalog associated with recent ransomware activity, Stormous is likely leveraging the following CVEs for perimeter breach:

  1. CVE-2026-50751 (Check Point Security Gateway): Allows unauthorized access via IKEv1. Given the manufacturing targets, this is a high-probability vector for breaching corporate VPNs.
  2. CVE-2026-20131 (Cisco Secure Firewall FMC): A deserialization flaw allowing RCE. Critical for the Energy and Tech victims.
  3. CVE-2024-1708 (ConnectWise ScreenConnect): A path traversal flaw leading to RCE. Frequently used to gain immediate access to internal networks via managed service providers (MSPs).

Detection Engineering

Sigma Rules

YAML
title: Potential Stormous Initial Access - Check Point IKEv1 Anomalies
id: 4a8b12c9-0d3e-4a5f-9b1c-2d3e4f5a6b7c
description: Detects potential exploitation of CVE-2026-50751 involving abnormal IKEv1 authentication failures or successful logins followed by mass file access.
author: Security Arsenal
date: 2026/06/28
status: experimental
logsource:
  product: firewall
  service: checkpoint
detection:
  selection:
    product|contains: 'Check Point'
    action: 'accept' or 'drop'
    protocol: 'ike'
   IKEv1_Indicator:
    vendor_specific|contains: 'ikev1'
  condition: selection and IKEv1_Indicator
falsepositives:
  - Legitimate VPN misconfigurations
level: high
tags:
  - attack.initial_access
  - cve.2026.50751
  - stormous

---

title: ScreenConnect Path Traversal Exploitation Attempt
id: b5c9d2e1-4f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects suspicious URL patterns indicative of CVE-2024-1708 exploitation on ConnectWise ScreenConnect servers.
author: Security Arsenal
date: 2026/06/28
status: experimental
logsource:
  product: webserver
  service: iis
detection:
  selection_uri:
    cs-uri-query|contains:
      - 'bin\'
      - '..\'
      - '..%5c'
  selection_host:
    cs-host|contains: 'ScreenConnect'
  condition: selection_uri and selection_host
falsepositives:
  - Rare scanning activity
level: critical
tags:
  - attack.initial_access
  - attack.execution
  - cve.2024.1708
  - stormous

---

title: Large Scale Data Staging via Rclone or PowerShell
id: c6d0e3f2-5a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects potential data exfiltration staging characteristic of Stormous double extortion tactics using Rclone or PowerShell compression.
author: Security Arsenal
date: 2026/06/28
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection_rclone:
    NewProcessName|contains: 'rclone'
  selection_powershell:
    NewProcessName|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Compress-Archive'
      - 'Copy-Item'
  filter_legit:
    User|contains:
      - 'SYSTEM'
      - 'ADMINISTRATOR'
  timeframe: 1h
  condition: (selection_rclone or selection_powershell) | count(ProcessID) > 10
falsepositives:
  - Legitimate backup admin tasks
level: high
tags:
  - attack.exfiltration
  - stormous

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and mass file encryption prep
// Focus on PowerShell and SMB activity often used by Stormous
let Timeframe = 1h;
let ProcessCreation = DeviceProcessEvents 
| where Timestamp >= ago(Timeframe)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "vssadmin.exe") 
| where ProcessCommandLine has_any ("-encoded", "-enc", "delete shadows", "delete") 
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let NetworkEvents = DeviceNetworkEvents 
| where Timestamp >= ago(Timeframe)
| where RemotePort in (445, 135, 5985, 5986) 
| summarize count() by DeviceName, RemoteIP, RemotePort;
union ProcessCreation, NetworkEvents
| summarize Count = count() by DeviceName, bin(Timestamp, 5m)
| where Count > 5
| order by Count desc

Rapid Response PowerShell Script

PowerShell
<#
.SYNOPSIS
    Stormous Post-Compromise Triage Script
.DESCRIPTION
    Checks for signs of Stormous activity: VSS deletion, recent scheduled tasks, and unusual PowerShell processes.
#>

Write-Host "[!] Starting Stormous Triage Check..." -ForegroundColor Yellow

# 1. Check Volume Shadow Copy Service Status (VSS)
Write-Host "\n[*] Checking VSS Shadow Copy Storage..." -ForegroundColor Cyan
try {
    $vss = vssadmin list shadows
    if ($vss -match "No shadow copies found") {
        Write-Host "[ALERT] No Shadow Copies found. Possible deletion event." -ForegroundColor Red
    } else {
        Write-Host "[OK] Shadow Copies exist." -ForegroundColor Green
    }
} catch {
    Write-Host "[ERROR] Could not query VSS." -ForegroundColor DarkRed
}

# 2. Enumerate Scheduled Tasks created in last 3 days
Write-Host "\n[*] Checking for recently created Scheduled Tasks (Last 3 Days)..." -ForegroundColor Cyan
$dateCutoff = (Get-Date).AddDays(-3)
Get-ScheduledTask | Where-Object { $_.Date -ge $dateCutoff } | Select-Object TaskName, TaskPath, Date, Author | Format-Table -AutoSize

# 3. Hunt for encoded PowerShell commands in recent logs
Write-Host "\n[*] Scanning Security Log for Encoded PowerShell..." -ForegroundColor Cyan
$events = Get-WinEvent -LogName Security -MaxEvents 1000 -ErrorAction SilentlyContinue | Where-Object { $_.Message -match "powershell.*-enc" }
if ($events) {
    Write-Host "[ALERT] Found encoded PowerShell execution events." -ForegroundColor Red
    $events | Select-Object TimeCreated, Id, Message | Format-List
} else {
    Write-Host "[OK] No obvious encoded PowerShell found in recent logs." -ForegroundColor Green
}


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

  1. VPN/Perimeter Logs: Review Check Point and Cisco Firewall logs for spikes in IKEv1 failures or anomalous admin logins (CVE-2026-50751 / CVE-2026-20131).
  2. Remote Access: Audit ConnectWise ScreenConnect logs for path traversal attempts (..\ or bin\ strings).
  3. User Behavior: Look for sudden increases in data egress volume from accounts that typically access CAD files or customer databases (Manufacturing/Retail sectors).

Critical Assets Prioritized for Exfiltration

  • Manufacturing: Intellectual Property (CAD drawings, Schematics), ERP databases.
  • Consumer Services: Full Customer PII databases (names, addresses, credit card info), Loyalty program data.
  • Energy: SCADA configuration files, Operational Technology (OT) network maps.

Containment Actions

  1. Immediate: Isolate identified compromised systems from the network. If a VPN appliance is suspected of compromise (Check Point/Cisco), consider terminating all VPN sessions and requiring a password reset + MFA re-enrollment for all users.
  2. Urgent: Block outbound traffic to known file-sharing endpoints (Mega.nz, Transfer.sh) often used for exfiltration.
  3. Secondary: Revoke credentials for service accounts used by ConnectWise ScreenConnect.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Apply patches for CVE-2026-50751 (Check Point), CVE-2026-20131 (Cisco FMC), and CVE-2024-1708 (ConnectWise) immediately.
  • MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) on all VPN and remote access gateways.
  • ScreenConnect Hardening: If patching is not immediately possible, block public internet access to ScreenConnect web interfaces and restrict access via VPN only.

Short-Term (2 Weeks)

  • Network Segmentation: Separate IT and OT networks (especially for Energy victims). Implement strict East-West traffic controls.
  • Audit External Attack Surface: Perform a scan for exposed RDP, VPN, and management interfaces on the public internet.
  • EDR Deployment: Ensure Endpoint Detection and Response (EDR) is deployed and functioning on all critical servers, particularly those holding customer PII and IP.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangstormousransomwareconsumer-servicesmanufacturingcve-exploitinitial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action