The cybercrime group known as GhostSec has been linked to a Golang variant of a ransomware household known as GhostLocker.
“TheGhostSec and Stormous ransomware teams are collectively conducting double extortion ransomware assaults on varied enterprise verticals in a number of international locations,” Cisco Talos researcher Chetan Raghuprasad mentioned in a report shared with The Hacker Information.
“GhostLocker and Stormous ransomware have began a brand new ransomware-as-a-service (RaaS) program STMX_GhostLocker, offering varied choices for his or her associates.”
Assaults mounted by the group have focused victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia.
Among the most impacted enterprise verticals embody expertise, schooling, manufacturing, authorities, transportation, power, medicolegal, actual property, and telecom.
GhostSec – to not be confused with Ghost Safety Group (which can also be known as GhostSec) – is a part of a coalition known as The 5 Households, which additionally contains ThreatSec, Stormous, Blackforums, and SiegedSec.
It was shaped in August 2023 to “set up higher unity and connections for everybody within the underground world of the web, to increase and develop our work and operations.”
Late final 12 months, the cybercrime group ventured into ransomware-as-a-service (RaaS) with GhostLocker, providing it to different actors for $269.99 per thirty days. Quickly after, the Stormous ransomware group introduced that it’s going to use the Python-based ransomware in itsattacks.
The most recent findings from Talos present that the 2 teams have banded collectively to not solely strike a variety of sectors, but additionally unleash an up to date model of GhostLocker in November 2023 in addition to begin a brand new RaaS program in 2024 known as STMX_GhostLocker.
“The brand new program is made up of three classes of providers for the associates: paid, free, and one other for the people with out a program who solely wish to promote or publish knowledge on their weblog (PYV service),” Raghuprasad defined.
STMX_GhostLocker, which comes with its personal leak website on the darkish internet, lists a minimum of six victims from India, Uzbekistan, Indonesia, Poland, Thailand, and Argentina.
GhostLocker 2.0 (aka GhostLocker V2) is written in Go and has been marketed as absolutely efficient and providing speedy encryption/decryption capabilities. It additionally comes with a revamped ransom observe that urges victims to get in contact with them inside seven days or danger getting their stolen knowledge leaked.
The RaaS scheme additionally permits associates to trace their operations, monitor encryption standing, and funds by means of an internet panel. They’re additionally supplied with a builder that makes it potential to configure the locker payload in accordance with their preferences, together with the directories to encrypt and the processes and providers to be terminated earlier than commencing the encryption course of.
As soon as deployed, the ransomware establishes reference to a command-and-control (C2) panel and proceeds with encryption routine, however not earlier than killing the outlined processes or providers and exfiltrating information matching a selected record of extensions.
Talos mentioned it found two new instruments possible utilized by GhostSec to compromise reputable websites. “One in every of them is the ‘GhostSec Deep Scan toolset’ to scan reputable web sites recursively, and one other is a hack software to carry out cross-site scripting (XSS) assaults known as “GhostPresser,'” Raghuprasad mentioned.
GhostPresser is especially designed to interrupt into WordPress websites, permitting the menace actors to change website settings, add new plugins and customers, and even set up new themes, demonstrating GhostSec’s dedication to evolving its arsenal.
“The group themselves has claimed they’ve used it in assaults on victims, however we have no method to validate any of these claims. This tooling would possible be utilized by the ransomware operators for quite a lot of causes,” Talos advised The Hacker Information.
“The deep scan software might be leveraged to search for methods into sufferer networks and the GhostPresser software, along with compromising sufferer web sites, might be used to stage payloads for distribution, in the event that they did not wish to use actor infrastructure.”
