Katholiek Amersfoort Ransomware by Stormous (June 2026)

Claim Summary

On June 2, 2026, the ransomware group Stormous allegedly added the Dutch Catholic organization Katholiek Amersfoort (katholiekamersfoort.nl) to its leak site. According to the threat actor, the group breached the church’s network and exfiltrated over 10 GB of data. The claimed stolen data includes databases containing Personally Identifiable Information (PII), internal network shares, documents, contact lists, and board and committee data. The group further claims the compromised records pertain to donors, staff, and a large number of individuals associated with the organization. This report is based solely on the threat actor’s unverified claims.

Threat Actor Profile

Stormous is a ransomware group that first emerged in 2022, known for targeting organizations across multiple sectors, including education, healthcare, and non-profits. The group has historically operated as a ransomware-as-a-service (RaaS) affiliate, though its operational security and victim count remain poorly documented. Stormous has previously claimed attacks on small-to-medium enterprises and religious institutions, often using double extortion tactics: encrypting files and threatening to leak stolen data.

The group’s known tools and tactics are not well-documented in public research. However, based on historical patterns, Stormous has been observed using:

• Initial access via phishing campaigns or exploiting unpatched vulnerabilities.
• Data exfiltration using tools like Rclone or custom scripts.
• Encryption using a variant of the Babuk ransomware source code, which was leaked in 2021.

No YARA rules or specific detection guidance for Stormous is publicly available at this time. Yazoul Security analysts caution that the group’s credibility is low due to a lack of consistent victim verification and a history of exaggerated claims.

Alleged Data Exposure

According to the threat actor, the following data categories were allegedly exfiltrated from Katholiek Amersfoort’s network:

• Databases and PII: Donor records, staff files, and personal information of individuals associated with the church.
• Internal Network Shares: Documents, spreadsheets, and internal communications.
• Contact Lists: Email addresses, phone numbers, and mailing lists.
• Board and Committee Data: Meeting minutes, strategic plans, and governance documents.
• System Metadata: Network configurations, server logs, and software inventories.

The total volume of claimed data is 10 GB. This volume is relatively small compared to typical ransomware breaches, which may indicate a limited scope or a targeted exfiltration of high-value data. However, the group has not provided samples or proof of the data’s authenticity, which is common for low-credibility actors.

Potential Impact

If the claims are verified, the potential impact on Katholiek Amersfoort includes:

• Privacy Violations: Exposure of donor and staff PII could lead to identity theft, phishing attacks, or reputational harm.
• Regulatory Consequences: As a Dutch organization, Katholiek Amersfoort may be subject to GDPR obligations. A data breach involving PII could result in fines from the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).
• Operational Disruption: The alleged network compromise could disrupt church operations, including financial management, donor communications, and administrative functions.
• Trust Erosion: Donors and community members may lose confidence in the organization’s ability to protect sensitive data.

Given the group’s questionable track record, the actual impact may be lower than claimed. However, organizations in the Dutch religious and education sectors should remain vigilant.

What to Watch For

• Leak Site Updates: Monitor Stormous’s leak site for any posted data samples or full archives. If samples appear, verify their authenticity before taking action.
• Phishing Campaigns: If PII is leaked, affected individuals may receive targeted phishing emails. Advise staff and donors to be cautious of unsolicited communications.
• Regulatory Notifications: The organization should prepare to notify the Dutch Data Protection Authority if the breach is confirmed.
• Network Forensics: Conduct internal investigations to identify the initial access vector and assess whether any systems remain compromised.

Disclaimer

This report is based on unverified claims made by the ransomware group Stormous. Yazoul Security has not independently confirmed the breach, data exfiltration, or any details provided by the threat actor. Ransomware groups routinely exaggerate or fabricate claims to pressure victims into paying ransoms. All information should be treated as preliminary and subject to verification. No PII, download links, or access credentials are included in this report. Organizations should consult with their cybersecurity teams before taking any action based on these claims.