Alert: GhostSec and Stormous Launch Joint Ransomware Attacks in Over 15 Countries
The cybercrime group called GhostSec has been linked to a Golang variant of a ransomware family called GhostLocker.
“TheGhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries,” Cisco Talos researcher Chetan Raghuprasad said in a report shared with The Hacker News.
“GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates.”
Attacks mounted by the group have targeted victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia.
Some of the most impacted business verticals include technology, education, manufacturing, government, transportation, energy, medicolegal, real estate, and telecom.
GhostSec – not to be confused with Ghost Security Group (which is also called GhostSec) – is part of a coalition called The Five Families, which also includes ThreatSec, Stormous, Blackforums, and SiegedSec.
It was formed in August 2023 to “establish better unity and connections for everyone in the underground world of the internet, to expand and grow our work and operations.”
Late last year, the cybercrime group ventured into ransomware-as-a-service (RaaS) with GhostLocker, offering it to other actors for $269.99 per month. Soon after, the Stormous ransomware group announced that it will use Python-based ransomware in its attacks.
The latest findings from Talos show that the two groups have banded together to not only strike a wide range of sectors, but also unleash an updated version of GhostLocker in November 2023 as well as start a new RaaS program in 2024 called STMX_GhostLocker.
“The new program is made up of three categories of services for the affiliates: paid, free, and another for the individuals without a program who only want to sell or publish data on their blog (PYV service),” Raghuprasad explained.
STMX_GhostLocker, which comes with its own leak site on the dark web, lists no less than six victims from India, Uzbekistan, Indonesia, Poland, Thailand, and Argentina.
GhostLocker 2.0 (aka GhostLocker V2) is written in Go and has been advertised as fully effective and offering speedy encryption/decryption capabilities. It also comes with a revamped ransom note that urges victims to get in touch with them within seven days or risk getting their stolen data leaked.
The RaaS scheme also allows affiliates to track their operations, monitor encryption status, and payments through a web panel. They are also provided with a builder that makes it possible to configure the locker payload according to their preferences, including the directories to encrypt and the processes and services to be terminated before commencing the encryption process.
Once deployed, the ransomware establishes connection with a command-and-control (C2) panel and proceeds with encryption routine, but not before killing the defined processes or services and exfiltrating files matching a specific list of extensions.
Talos said it discovered two new tools likely used by GhostSec to compromise legitimate sites. “One of them is the ‘GhostSec Deep Scan toolset’ to scan legitimate websites recursively, and another is a hack tool to perform cross-site scripting (XSS) attacks called “GhostPresser,'” Raghuprasad said.
GhostPresser is mainly designed to break into WordPress sites, allowing the threat actors to alter site settings, add new plugins and users, and even install new themes, demonstrating GhostSec’s commitment to evolving its arsenal.
“The group themselves has claimed they’ve used it in attacks on victims, but we don’t have any way to validate any of those claims. This tooling would likely be used by the ransomware operators for a variety of reasons,” Talos told The Hacker News.
“The deep scan tool could be leveraged to look for ways into victim networks and the GhostPresser tool, in addition to compromising victim websites, could be used to stage payloads for distribution, if they didn’t want to use actor infrastructure.”