Cybercriminals have developed an enhanced model of the notorious GhostLocker ransomware that they’re deploying in assaults throughout the Center East, Africa, and Asia.
Two ransomware teams, GhostSec and Stormous, have joined forces within the assault campaigns with double-extortion ransomware assaults utilizing the brand new GhostLocker 2.0 to contaminate organizations in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand, in addition to different places.
Know-how corporations, universities, manufacturing, transportation, and authorities organizations are bearing the brunt of assaults, which try to rip-off victims into paying for decryption keys wanted to unscramble information that was rendered inaccessible by the file-encrypting malware. The attackers additionally threaten to launch the stolen delicate information until the victims pay them hush cash, based on researchers at Cisco Talos, who found the brand new malware and cyberattack marketing campaign.
RaaS al Ghoul
Each the GhostLocker and Stormous ransomware teams have launched a revised ransomware-as-a-service (RaaS) program known as STMX_GhostLocker, offering numerous choices for his or her associates.
The GhostSec and Stormous teams introduced their information theft of their Telegram channels and on the Stormous ransomware information leak web site.
In a technical weblog put up this week, Cisco Talos stated GhostSec is attacking Israel’s Industrial methods, vital infrastructure, and know-how corporations. Supposed victims embrace the Israeli Ministry of Protection, however the motives of the group look like primarily profit-driven and never for kinetic sabotage functions.
Chats within the group’s Telegram channel recommend the group is motivated (a minimum of partially) by a need to lift funds for hacktivists and risk actors. The group’s chosen moniker GhostSec resembles that of well-known hacktivist crew Ghost Safety Group, an outfit recognized for concentrating on pro-ISIS web sites and different cyberattacks, however any connection stays unconfirmed.
The Stormous gang added the GhostLocker ransomware program to its present StormousX program following a profitable joint operation in opposition to Cuban ministries final July.
XSS Marks the Spot
GhostSec seems to be conducting assaults in opposition to company web sites, together with a nationwide railway operator in Indonesia and a Canadian vitality provider. Cisco Talos stories that the group could also be utilizing its GhostPresser software at the side of cross-site scripting (XSS) assaults in opposition to weak web sites.
The ransomware kingpins are providing a newly-developed GhostSec deep scan toolset that would-be attackers can use to scan the web sites of their potential targets.
The Python-based utility incorporates placeholders to carry out particular features together with the potential potential to scan for particular vulnerabilities (by CVE numbers) on focused web sites. The promised performance signifies “GhostSec’s steady evolution of instruments of their arsenal,” based on Cisco Talos. Safety researchers report that the malware’s builders are referencing “ongoing work” on “GhostLocker v3” of their chats.
Ghost within the Shell
GhostLocker 2.0 encrypts information on the sufferer’s machine utilizing the file extension .ghost earlier than dropping and opening a ransom be aware. Potential marks warn that stolen information will probably be leaked until they contact ransomware operators earlier than a seven-day deadline expires.
GhostLocker ransomware-as-a-service associates have entry to a management panel that permits them to observe the progress of their assaults, that are robotically registered on the dashboard. The GhostLocker 2.0 command-and-control server resolves with a geolocation in Moscow, an identical set-up to earlier variations of the ransomware.
Paying associates achieve entry to a ransomware builder that may be configured with numerous choices, together with the goal listing for encryption. Builders have configured the ransomware to exfiltrate and encrypt the information which have file extensions .doc, .docx, .xls and .xlsx (I.e Phrase-created doc file and spreadsheets).
The newest model of GhostLocker was written within the GoLang programming language, not like the earlier model, which was developed utilizing Python. The performance stays related, nonetheless, based on Cisco Talos. One distinction within the new model: it doubles the encryption key size from 128- to 256 bits.
