Stormous ransomware gang takes credit for attack on Belgian brewer Duvel


The Stormous ransomware gang has taken credit for an attack on a major Belgian beer producer this week.

The ransomware attack on Duvel Moortgat Brewery has affected operations for days. Local news outlets and BleepingComputer reported on Wednesday that Duvel’s IT department detected the attack and shut down production lines.

Spokesperson Ellen Aerts told reporters that they are “still working to find out exactly what happened.

“We have decided to switch off our servers and as a result production is at a standstill at all our Belgian sites and at our site in the United States,” she said. “We are confident that we will be able to restart production soon. In the meantime, there is enough stock, so Duvel drinkers don’t have to worry.”

The company was added to Stormous’ leak site on Thursday, with the group claiming to have stolen 88 gigabytes of data from Duvel. The gang gave the brewer a deadline of March 25 to pay the ransom.

The company did not respond to requests for comment about the situation.

The incident comes amid growing interest in Stormous ransomware following their announced alliance with GhostSec, a financially-motivated hacking group conducting single- and double-extortion attacks that has ramped up its activity over the last year, according to Cisco Talos.

Researchers published a report this week about the alliance between the two groups, finding that they are “operating together to conduct… double extortion attacks” on victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkey, Egypt, Vietnam, Thailand and Indonesia.

GhostSec has also been active on its Telegram channel in highlighting its attacks on Israel’s Industrial systems, critical infrastructure and technology companies.

In recent months the group has claimed to be part of an alliance called the “Five Families” — which includes the hacking groups ThreatSec, Stormous, Blackforums and SiegedSec.

“Their claims also showed us that their primary focus is raising funds for hacktivists and threat actors through their cybercriminal activities,” Cisco researchers said.

GhostSec began to collaborate with the Stormous ransomware gang in July 2023 in several alleged attacks on government organizations in Cuba. By October, the two groups announced a partnership and GhostSec unveiled a new ransomware-as-a-service operation called GhostLocker.

Since then, the groups have collaborated on several attacks while evolving their offerings to include methods for independent hackers to use their platform to simply sell or publish stolen data.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Play ransomware leaked 65,000 Swiss government documents, investigation finds

Next Post

Iran-linked ‘Lord Nemesis’ group appears intent on intimidating Israeli organizations, report says

Related Posts

Network Threats: A Step-by-Step Attack Demonstration

Follow this real-life network attack simulation, covering 6 steps from Initial Access to Data Exfiltration. See how attackers remain undetected with the simplest tools and why you need multiple choke points in your defense strategy. Surprisingly, most network attacks are not exceptionally sophisticated, technologically advanced, or reliant on zero-day tools that exploit
Read More

Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services. These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the
Read More