Ransomware Group: STORMOUS

VICTIM NAME: nirvanahotels[.]com[.]tr

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the STORMOUS Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page associated with the hospitality enterprise, operating under the domain nirvanahotels.com.tr, publicly disclosed a significant data breach involving approximately 40GB of sensitive information. The attack was identified on May 21, 2025, and appears to have targeted internal hotel data, including full names of guests, email addresses (both internal and external), customer complaints, feedback content, booking or reference numbers, and internal communication records. The breach exposes the potential for compromising guest privacy and internal hotel operations, emphasizing the importance of cybersecurity measures in the hospitality sector.

The cybercriminal group responsible for the attack, identified as Stormous, uploaded a screenshot of the compromised data, depicting internal files and communications. They also provided a claim URL hosted on an onion site, indicating the leak’s availability on the dark web. The stolen data may be used for further malicious activities, including identity theft, extortion, or reputational damage to the hotel chain. Although no evidence of third-party involvement or organizational insiders was noted, the attack underscores the vulnerability of hospitality networks to ransomware threats. The affected hotel chain is located in Turkey, and the breach could impact both the company’s operations and its guests’ privacy.