GhostSec, an infamous cybercrime syndicate, has been identified as the mastermind behind a variant of ransomware dubbed GhostLocker. Teaming up with the Stormous ransomware group, they’ve been orchestrating double extortion ransomware assaults on numerous businesses across several countries. This revelation stems from a report by Cisco Talos researcher Chetan Raghuprasad. Not stopping there, GhostLocker and Stormous have initiated a new ransomware-as-a-service initiative named STMX_GhostLocker, which provides a range of options for their affiliates.
Their targets span a multitude of countries including Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkey, Egypt, Vietnam, Thailand, and Indonesia. Industries such as technology, education, manufacturing, government, transportation, energy, medicolegal, real estate, and telecom have borne the brunt of their onslaught.
GhostSec operates within an alliance dubbed The Five Families, comprising ThreatSec, Stormous, Blackforums, and SiegedSec. Established in August 2023, this coalition aimed to foster better cohesion and networks within the clandestine realms of the internet.
In a daring move in late 2023, GhostSec delved into ransomware-as-a-service, peddling GhostLocker to other actors for a monthly fee. Concurrently, Stormous announced their foray into Python-based ransomware. Recent revelations from Talos indicate that the two factions have combined forces to target diverse sectors and unveiled an updated GhostLocker version in November 2023. Additionally, they’ve rolled out a fresh RaaS venture named STMX_GhostLocker in 2024.
STMX_GhostLocker offers three tiers of services for affiliates: paid, free, and a service tailored for individuals solely interested in selling or publishing data on their blog (PYV service). This program operates its own leak site on the dark web, having already listed six victims from India, Uzbekistan, Indonesia, Poland, Thailand, and Argentina.
GhostLocker 2.0, or GhostLocker V2, coded in Go, boasts of swift encryption/decryption capabilities and is touted as highly efficient. It flaunts a revamped ransom note urging victims to reach out to the attackers within seven days to forestall data leakage.
The RaaS setup furnishes affiliates with a web panel for tracking operations, monitoring encryption status, and managing payments. Additionally, they gain access to a builder enabling customization of the locker payload, including encryption targets and processes to terminate prior to encryption.
Talos researchers have unearthed two new tools likely employed by GhostSec to infiltrate legitimate websites. The first, GhostSec Deep Scan, is utilized for recursive website scanning. The second, GhostPresser, a hack tool facilitating cross-site scripting (XSS) attacks, predominantly targeting WordPress sites. GhostPresser enables threat actors to manipulate site configurations, add plugins and users, and install new themes, underscoring GhostSec’s commitment to evolving their modus operandi.
Though the group claims utilization of these tools in attacks, their authenticity remains unverified. Nonetheless, Talos posits that the deep scan tool could be leveraged to uncover vulnerabilities in victim networks, while GhostPresser could serve to stage payloads for distribution sans reliance on their infrastructure.
