Joint Ransomware Attacks are Being Launched by GhostSec and Stormous in 15+ Nations
Joint Ransomware Attacks are Being Launched by GhostSec and Stormous in 15+ Nations
GhostSec, a cybercriminal organization, has been associated with GhostLocker, a Golang version of the ransomware family.
A report shared with The Hacker News stated, “TheGhostSec and Stormous ransomware groups are collaborating to execute double extortion ransomware attacks across multiple countries and business verticals,” according to Cisco Talos researcher Chetan Raghuprasad.
“GhostLocker and Stormous ransomware has launched a fresh ransomware-as-a-service (RaaS) program, STMX_GhostLocker, giving multiple choices for their affiliates.”
The group has conducted assaults against individuals and entities in Vietnam, Thailand, Indonesia, Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkey, Egypt, Vietnam, and Thailand.
Industry sectors that have been significantly influenced consist of real estate, technology, education, manufacturing, government, transportation, energy, medical, and energy.
GhostSec, which is not to be confounded with Ghost Security Group (also known as GhostSec), is a member of The Five Families coalition alongside ThreatSec, Stormous, Blackforums, and SiegedSec.
The organization was established in August 2023 to “build greater unity and ties among all people in the dark corners of the internet, and to further develop our work and operations.”
The cybercrime syndicate introduced GhostLocker, a ransomware-as-a-service (RaaS), towards the end of the previous year, charging other actors $269.99 per month. The Stormous ransomware group subsequently declared that it would employ Python-based ransomware in its cyberattacks.
According to the most recent discoveries from Talos, the two groups have allied to not only attack a variety of industries but also to release an updated version of GhostLocker in November 2023 and launch a new RaaS program dubbed STMX_GhostLocker in 2024.
“The fresh scheme consists up of three distinct kinds of goods and services for the affiliates: paid, free, and a different one for the people without a program who only are interested in selling or publishing data on their blog (PYV service),” Raghuprasad stated.
The dark web breach site associated with STMX_GhostLocker lists at least six victims hailing from Argentina, Uzbekistan, Indonesia, Poland, and Thailand.
Go-based GhostLocker 2.0 (also referred to as GhostLocker V2) is purportedly fully functional and provides rapid encryption and decryption capabilities. Additionally, the ransom note has been updated to urge victims to contact the perpetrators within seven days, failing which they will expose the stolen data.
The RaaS model additionally provides affiliates with the capability to oversee their payments, encryption status, and operations via a web-based interface. Additionally, they are furnished with a constructor that enables them to personalize the locker payload by specifying the directories to be encrypted, as well as the processes and services to be terminated before initiating the encryption procedure.
After being deployed, the ransomware initiates communication with a command-and-control (C2) interface and initiates an encryption routine. However, this does not occur until the specified processes or services have been terminated and files that match a particular list of extensions have been exfiltrated.
Talos reported discovering two additional tools that GhostSec probably employed to compromise legitimate websites. “Among them is the ‘GhostSec Deep Scan toolset,’ which recursively scans legitimate websites, and the ‘GhostPresser’ hacking tool, which executes cross-site scripting (XSS) attacks,” Raghuprasad explained.
GhostPresser serves as a primary infiltration tool for WordPress sites, enabling malicious actors to modify configuration files and introduce fresh themes, plugins, and users — illustrative of GhostSec’s dedication to advancing its toolkit.
“Although the group asserts that it was utilized in assaults against victims, we are unable to verify any of those assertions. The ransomware operators would most likely employ this software for a multitude of purposes,” Talos informed News4Hackers.
“The thorough scan tool could be exploited to search for methods into the networks of victims and the GhostPresser tool, in addition to hacking victim websites, could be employed to set up payloads for distribution, if they were unwilling to employ actor infrastructure.”
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
About Author
English