On May 9, 2026, the Stormous ransomware group published a 33GB data dump exfiltrated from AMS Group (ams-group.co.uk), a UK-based engineering and construction services firm. The leak, confirmed by Lyrie Threat Intelligence on May 10, 2026, exposes a comprehensive cross-section of the firm's administrative, financial, and operational records, including architectural designs and site layouts tied to live construction projects.
What Happened
Stormous, an emerging Ransomware-as-a-Service (RaaS) operation, announced the breach through its public leak site and provided evidence of both encryption and exfiltration. The full 33GB archive was made available for download, indicating that ransom negotiations either failed or were never initiated.
AMS Group operates in the engineering and construction services sector, supporting projects across the United Kingdom. The sheer volume and diversity of the exfiltrated material suggest prolonged unauthorized access to the network, or alternatively, the successful compromise of a centralized file repository housing the bulk of the firm's operational documentation.
Stormous has been steadily increasing its operational tempo throughout 2026, targeting mid-market and enterprise organizations operating adjacent to critical infrastructure sectors.
What Was Taken
The exposed dataset spans nearly every facet of AMS Group's operations:
- Administrative and financial records
- Payroll sheets and employee personal information
- Client and partner directories
- Technical and engineering specifications
- Business plans and strategic documents
- Architectural designs and blueprints
- Official contracts and service agreements
- Detailed engineering reports
- Construction site maps and facility layouts
- Risk assessments and compliance documentation
- Internal correspondence and communications
- Tax and legal records
The presence of site maps, blueprints, and engineering specifications elevates this beyond a typical corporate data theft, transforming it into a potential physical-security intelligence trove for any downstream buyer.
Why It Matters
Engineering and construction firms occupy a quiet but critical position in the infrastructure supply chain. They hold the architectural truths behind buildings, plants, and facilities, often without the equivalent security scrutiny applied to software vendors or managed service providers.
The AMS Group leak creates two compounding risk vectors. First, supply chain reconnaissance: threat actors and APT groups oriented toward critical infrastructure or OT environments can harvest construction timelines, site layouts, and architectural designs for both cyber and physical attack planning. Second, identity weaponization: employee directories and payroll data offer ready-made targeting lists for phishing, business email compromise, and impersonation campaigns against AMS Group's clients and partners.
For clients whose project data sits inside the dump, the breach is effectively a third-party incident requiring their own response posture.
The Attack Technique
Stormous has not published technical specifics around initial access. However, the volume and category breadth of the exfiltrated data are consistent with prolonged dwell time and broad lateral movement, or with the compromise of a centralized document management system such as a file server, SharePoint instance, or project collaboration platform.
Stormous affiliates have historically leveraged phishing, exposed remote access services, and known vulnerabilities in perimeter appliances to gain initial footholds. The absence of public partial-leak teasers prior to the full 33GB dump suggests negotiations were short-lived or absent.
What Organizations Should Do
- AMS Group clients and partners should treat any shared project data, contracts, or correspondence as compromised and review exposed materials for sensitive intellectual property, credentials, or facility details.
- Audit third-party engineering and construction vendors for security posture, including how they store blueprints, site plans, and project documentation. Apply contractual data-handling requirements equivalent to those imposed on software suppliers.
- Harden centralized document repositories with MFA, conditional access, anomaly detection on bulk downloads, and data loss prevention controls. Segment legacy file servers from general user populations.
- Hunt for Stormous TTPs across perimeter VPN appliances, exposed RDP, and Exchange instances. Review egress logs for unusual outbound transfers exceeding normal baselines.
- Rotate credentials and review identity exposure for any employees named in the dump, and enroll exposed identities in enhanced phishing and BEC monitoring.
- Brief physical security teams on facilities whose layouts may be in the leak so they can adjust access controls, surveillance posture, and incident response plans accordingly.