Stormous Ransomware Claims 4 Victims in 24h
Statistical Overview
Victim Totals
- This month: 665
- This quarter: 2208
- Year to date: 4829
- Last 24h: 17
Quarterly Breakdown
Q1: 2631 | Q2: 2208 | Q3: 0 | Q4: 0
Ransomware activity remains consistent this quarter. Recent operations by groups like Stormous and Booba contribute to ongoing threats, particularly affecting manufacturing and healthcare sectors.
Introduction
There were 17 new ransomware victims. Stormous, Booba, and Akira were the most active groups. Manufacturing, Healthcare, and Construction were the primary sectors impacted, along with legal and education.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Stormous | 4 | Impulso-store.com new, Lorenzoni-store.com new, Maglificioliliana.com new (+1) | Italy | Manufacturing |
| 2 | Booba | 3 | Fonsan, Frosty acres brands, Telewave, inc. | None, United States | Agriculture & Food, Telecommunications |
| 3 | Akira | 2 | Jms southeast, Padget technologies | United States | Manufacturing |
| 4 | Anubis | 1 | Quest health solutions | United States | Healthcare |
| 5 | Audit | 1 | I-sys | Russia | Technology / Software |
| 6 | Chaos | 1 | Roofdepot.com | United States | Construction & Engineering |
| 7 | Interlock | 1 | Clearview eye centre | Canada | Healthcare |
| 8 | Krybit | 1 | Sansilvestre.edu.pe | Peru | Education |
| 9 | Morpheus | 1 | Delegal Poindexter & Underkofler, P.A. | United States | Legal |
| 10 | Qilin | 1 | Isoplus | Greece | Pharmaceuticals & Biotech |
| 11 | SLSH | 1 | Naic.org | United States | Insurance |
Stormous accounted for a large portion of observed activity, targeting four Italian manufacturing entities. Booba focused on US-based agriculture and telecommunications, while Akira also impacted US manufacturing. Healthcare organizations, including Quest Health Solutions (Anubis) and Clearview Eye Centre (Interlock), were targeted. A legal firm in the US was hit by Morpheus, and an education institution in Peru by Krybit. Qilin also listed a pharmaceutical victim in Greece.
Victim Distribution
By Country
- United States: 8
- Italy: 4
- Canada: 1
- Greece: 1
- None: 1
- Peru: 1
- Russia: 1
By Industry
- Textile and Apparel Manufacturing: 4
- Healthcare: 2
- Construction: 2
- Pharmaceuticals: 1
- Education: 1
- Software Development and Business Automation: 1
- Automation Machinery Manufacturing: 1
- Food & Beverages: 1
- Industrial Automation: 1
- Insurance Regulation: 1
The United States and Italy remain the top geographical targets, with a focus on the Textile and Apparel Manufacturing sector. This concentration shows persistent targeting of specific industrial segments within established ransomware geographies.
Ransomware News
Topline
Ransomware developments show changes in TTPs, geographic shifts, targeted policy responses, and major disruptions to initial access infrastructure.
Campaigns & Operations
The Silent Ransom Group (UNC3753) uses advanced extortion tactics, combining vishing and social engineering with in-person data exfiltration when remote methods fail. The Akira ransomware group used hypervisor access, WinRAR for archiving, and Easyupload.io for data exfiltration during an observed attack. See Understanding Ransomware TTPs. The Qilin ransomware operation has been linked to the Mistic backdoor and ModeloRAT campaigns, which employ stealthy in-memory execution and DLL side-loading, as detailed in our Qilin Ransomware Profile. Operation Endgame disrupted 326 C2 servers and 142 domains supporting Amadey and StealC. These are critical initial access brokers in the ransomware ecosystem, which our analysis on Decoding Initial Access Brokers further explains.
Vulnerabilities & TTPs
A critical vulnerability, CVE-2026-50751, in Check Point's Remote Access VPN, allowed attackers to maintain persistence for six weeks post-exploitation. This shows a need for post-perimeter defenses beyond patching. Ransomware threat actors continue to use legitimate tools and services for data exfiltration, as seen with Akira's use of Easyupload.io.
Analyst Note
These developments show a changing threat landscape. This includes sophisticated TTPs, continued targeting of critical sectors, and a global spread of ransomware activity. There are also efforts to dismantle criminal infrastructure.
Technical Takeaways
- Stormous targets Italian Textile and Apparel Manufacturing with four distinct operations.
- Akira ransomware uses techniques like hypervisor access and Easyupload.io for data exfiltration.
- The Qilin ransomware group is associated with the Mistic backdoor and ModeloRAT for persistent access, which use stealthy, in-memory methods.
- Physical in-person exfiltration is a new tactic used by groups like Silent Ransom Group (UNC3753) to get sensitive data.
- Post-perimeter defenses are important. This is shown by the sustained exploitation of CVE-2026-50751 in Check Point VPNs even after initial access.
Stormous Ransomware Group Profile
Stormous is a politically motivated ransomware group known for targeting Western and European organizations. Their focus on Italian manufacturing firms in this latest wave reflects a consistent pattern of attacking mid-sized industrial companies with limited cybersecurity resources.
- Origin: Believed to operate from pro-Russian aligned networks
- Primary targets: Manufacturing, retail, and e-commerce sectors
- Tactics: Data exfiltration combined with encryption-based extortion
- Notable trend: Increasing victim counts in EU-based supply chain companies
Organizations in the manufacturing sector should review their ransomware defense strategies and ensure offline backups are current and tested regularly.
Manufacturing Sector Ransomware Risk Factors
Manufacturing continues to rank among the top targeted industries in ransomware campaigns. Operational technology (OT) environments, legacy systems, and 24/7 uptime requirements make these organizations especially vulnerable to extortion.
- Legacy infrastructure: Older ICS/SCADA systems often lack modern patch support
- High downtime costs: Attackers exploit pressure to restore operations quickly
- Supply chain exposure: Third-party vendor access creates additional entry points
- Limited IT staffing: Smaller manufacturers lack dedicated security teams
Review our ransomware victim trends by sector for a deeper breakdown of manufacturing exposure across recent quarters.
How to Respond to a Ransomware Claim Against Your Organization
If your organization appears in a ransomware group's victim listing, immediate action is critical. Public claims often precede or accompany active data leak threats.
- Verify the claim: Confirm whether data has actually been exfiltrated or systems encrypted
- Engage incident response: Activate your IR plan and notify legal counsel immediately
- Notify regulators: GDPR, HIPAA, and other frameworks may require breach disclosure
- Do not negotiate alone: Involve law enforcement and specialized ransomware negotiators
- Preserve evidence: Avoid wiping systems before forensic imaging is complete
See our ransomware incident response guide for a full checklist of recommended steps.