Date: December 19, 2025 Threat Level: Critical Target Audience: CTI Analysts, SOC Managers, Threat Hunters

In late December 2025, the Stormous ransomware group formally confirmed a strategic “cartel” partnership with six other distinct threat groups: Devman, Coinbase Cartel, Nova, Radar, Desolator, and Kryptos. This consolidation represents a shift in the Ransomware-as-a-Service (RaaS) ecosystem, moving from loose affiliate models to structured multi-group alliances designed to pool resources, specialized capabilities, and victim data.

This report breaks down the technical profiles, shared TTPs, and indicators of compromise (IOCs) associated with this new coalition.

1. The Alliance Architecture

Unlike traditional RaaS models where a core developer rents malware to affiliates, this alliance functions as a “capabilities exchange.” Each member brings a specific specialization to the kill chain:

• Stormous: Orchestrator and “Leak Site” manager; often handles the negotiation and public pressure campaigns.
• Coinbase Cartel: Specializes in Cloud Extortion and data theft without encryption (leak-only), focusing on high-value cloud environments like Salesforce and AWS.
• Devman: Provides the Encryption Layer (Windows/Linux lockers) and traditional RaaS infrastructure.
• Kryptos: Focuses on Initial Access via Insider Threat, actively recruiting rogue employees to bypass perimeter defenses.
• Nova (RALord), Radar, Desolator: Support roles, likely providing additional affiliate networks or redundant infrastructure.

2. Technical Profiles & TTPs

A. Coinbase Cartel: The Cloud Extortionist

• Primary Function: Data Exfiltration (Non-Encryption)
• Targeting: Logistics, Transportation, and SaaS-heavy enterprises.
• TTPs:
  • OAuth Abuse: Compromises cloud environments (Salesforce, Google Workspace) by tricking users into authorizing malicious OAuth apps or stealing session tokens.
  • Data Loader Mimicry: Deploys custom Python scripts that mimic legitimate administrative tools (like the Salesforce Data Loader) to bulk-export sensitive records via legitimate APIs (SOQL queries).
  • Defense Evasion: Uses “Living off the Cloud” techniques, making exfiltration traffic look like standard backup or sync operations.

B. Devman: The Encryptor

• Primary Function: System Locking / Encryption
• Targeting: Manufacturing, Healthcare, and Construction.
• Malware Analysis (DevMan 1.0):
  • Execution: Sets process priority to HIGH_PRIORITY_CLASS to expedite encryption.
  • API Hashing: Uses dynamic API hashing to resolve Windows APIs at runtime, evading static analysis.
  • Encryption Scheme: Generates a 32-byte key for each file, encrypting it using ECDH on Curve25519. The public key is appended to the file footer.
  • Persistence: Deletes Volume Shadow Copies via vssadmin and empties the Recycle Bin to prevent simple recovery.

C. Kryptos: The Insider Specialist

• Primary Function: Initial Access Brokerage (IAB)
• TTPs:
  • Recruitment: Actively markets to disgruntled employees on Telegram and Dark Web forums, offering revenue shares (up to 70-80%) in exchange for valid VPN, SSH, or RDP credentials.
  • Access Handoff: Verifies credentials and creates “backdoor” accounts (often with UID=0 on Linux systems or Domain Admin privileges on Windows) before handing access to the encrypting partners.

D. Nova: The Compromised Node

• Status: Compromised / Volatile
• Intel Note: In early December, a rival faction (CBSecurity) leaked Nova’s internal source code and affiliate lists. Despite this, Nova remains active in the alliance, likely rebranding its infrastructure to mitigate the leak’s impact. Analysts should watch for rapid changes in Nova’s binary signatures as they retool.

3. Indicators of Compromise (IOCs)

File Artifacts & Extensions

• Devman Extension: <8_random_chars>.devmanv1
• Ransom Notes: README.devmanv1.txt, RECOVERY_STORM.txt
• Malicious Scripts: Python scripts named similarly to dataloader_export.py or utilizing Salesforce API calls from non-standard user agents.

Network Indicators

• C2 Traffic: Outbound connections to Tor hidden services (Onion addresses) associated with the Stormous leak site.
• Exfiltration:
  • Anomalous spikes in outbound traffic to Salesforce APIs (*.salesforce.com) or AWS S3 buckets not owned by the organization.
  • SSH connections initiated from unexpected internal IPs (indicative of Kryptos/insider access).

Behavioral Detection

• Process Priority: Monitoring for processes programmatically setting themselves to RealTime or High priority classes.
• Shadow Copy Deletion: Alerts for vssadmin.exe delete shadows /all /quiet or PowerShell equivalents.
• OAuth Grants: New OAuth applications granted “Full Access” or “Data Export” scopes without change management approval.

4. Victimology & Impact

The alliance concentrates on Double and Triple Extortion:

1. Encryption: Devman locks the on-premise servers.
2. Cloud Leak: Coinbase Cartel threatens to release cloud-hosted customer databases.
3. Insider Pressure: Kryptos leverages insider knowledge to identify the most damaging data to leak.

Targeted Sectors:

• Transportation & Logistics (High value for Coinbase Cartel)
• Healthcare (Targeted by Devman/Stormous)
• Education & Non-Profits (Targeted by Nova)