Full Report
ASEC Blog publishes Ransom & Dark Web Issues Week 4, May 2025 Six global hospitality companies listed as new victims of the Stormous ransomware. An unidentified South Korean company listed as a new victim of the Devman ransomware. Europol and Microsoft conduct an international joint operation to disrupt […]
Analysis Summary
# Incident Report: Week 4 May 2025 Ransomware & Dark Web Activity
## Executive Summary
This report summarizes key threats observed during the fourth week of May 2025, highlighting three significant events: the listing of six global hospitality companies by the Stormous ransomware gang, a new victim announcement by the Devman ransomware group in South Korea, and a successful international operation to disrupt Lumma Stealer infrastructure. The primary impact involved potential data encryption/exfiltration and widespread malware distribution, mitigated by joint law enforcement actions.
## Incident Details
- Discovery Date: May 22, 2025 (Publication date of the analysis)
- Incident Date: Various, spanning the week leading up to May 22, 2025
- Affected Organization: Six global hospitality companies (Stormous); One unidentified South Korean company (Devman)
- Sector: Hospitality, General Business (South Korea systems)
- Geography: Global (Hospitality victims); South Korea (Devman victim)
## Timeline of Events
### Initial Access
- Date/Time: Unspecified, within Week 4, May 2025
- Vector: **Stormous:** Ransomware infection (specific vector not detailed). **Devman:** Ransomware infection (specific vector not detailed). **Lumma Stealer:** Distribution infrastructure leveraged for credential harvesting.
- Details: Six hospitality firms were added to the Stormous leak site. One SK company was added to the Devman leak site.
### Lateral Movement
- Details: Not explicitly detailed for Stormous or Devman victims in the summary, but implied by the nature of ransomware attacks requiring persistence and spread.
### Data Exfiltration/Impact
- **Stormous & Devman:** Data was likely stolen prior to encryption (Double Extortion). Specific data types are not listed.
- **Lumma Stealer:** Infrastructure was used to steal user credentials and information.
### Detection & Response
- Date/Time: Lumma Stealer infrastructure disruption occurred during this period.
- **Response:** Europol and Microsoft conducted an international joint operation to disrupt the Lumma Stealer Command and Control (C2) infrastructure.
- **Detection:** Victim identification by ASEC researchers via Dark Web monitoring.
## Attack Methodology
| Phase | Method |
| :--- | :--- |
| Initial Access | Ransomware vectors (Unspecified); Exploitation or social engineering leading to Lumma Stealer deployment. |
| Persistence | Implied for ransomware operations to ensure encryption completion. |
| Privilege Escalation | Not detailed. |
| Defense Evasion | Not detailed. |
| Credential Access | **Lumma Stealer:** Specifically targets and steals credentials. |
| Discovery | Not detailed for ransomware actors. |
| Lateral Movement | Implied within victim networks for ransomware execution. |
| Collection | Data theft occurred prior to deploying ransomware. |
| Exfiltration | Implied data transfer for listed victims. |
| Impact | Data encryption (Ransomware) and credential theft (Lumma Stealer). |
## Impact Assessment
- Financial: Potential ransom payments and recovery costs for the named victims.
- Data Breach: Unconfirmed details, but likely sensitive corporate data due to ransomware activities.
- Operational: Downtime and service disruption for the six hospitality companies and the single South Korean entity.
- Reputational: Negative publicity associated with being listed on ransomware leak sites.
## Indicators of Compromise
*Note: Since this is a summary of observed activities, specific IOCs require subscription access to AhnLab TIP.*
- **Network Indicators:** C2 infrastructure associated with Lumma Stealer targeted by law enforcement.
- **File Indicators:** Malicious payloads related to Devman and Stormous (IOCs restricted).
- **Behavioral Indicators:** Evidence of large-scale unauthorized data staging and encryption events on victim networks.
## Response Actions
- **Containment:** Not detailed for specific victim responses.
- **Eradication:** Not detailed for specific victim responses.
- **Recovery:** Not detailed for specific victim responses.
- **External Response:** International joint operation by Europol and Microsoft to dismantle Lumma Stealer C2 infrastructure.
## Lessons Learned
- The ongoing and effective collaboration between law enforcement (Europol) and private industry (Microsoft) is crucial for disrupting large-scale malware operations like Lumma Stealer.
- Ransomware groups like Stormous remain actively targeting diverse sectors, including hospitality, indicating persistent vulnerability across the industry supply chain.
## Recommendations
- Immediately review network logs for known indicators associated with Devman, Stormous, and Lumma Stealer activity targeting mail, endpoint security, and network traffic.
- Implement robust credential hygiene and multi-factor authentication organization-wide to mitigate the risk posed by infostealers like Lumma.
- Ensure comprehensive, tested backup and recovery procedures are in place to effectively counter ransomware extortion attempts.