The cybercrime group called GhostSec has been linked to a Golang variant of a ransomware family called GhostLocker.
“Ransomware groups TheGhostSec and Stormous are jointly conducting double-extortion ransomware attacks on various business verticals across multiple countries,” Cisco Talos researcher Chetan Raghuprasad said in a report shared with The Hacker News.
“GhostLocker and Stormous ransomware have launched a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates.”
Attacks organized by the group have targeted victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkey, Egypt, Vietnam, Thailand and Indonesia.
Some of the most affected business verticals include technology, education, manufacturing, government, transportation, energy, forensics, real estate, and telecommunications.
GhostSec – not to be confused with Ghost Security Group (also called GhostSec) – is part of a coalition called The Five Families, which also includes ThreatSec, Stormous, Blackforums and SiegedSec.
It was formed in August 2023 to “establish better unity and connections for everyone in the Internet underworld, to expand and grow our work and operations.”
Late last year, the cybercrime group ventured into ransomware-as-a-service (RaaS) with GhostLocker, offering it to other actors for $269.99 a month. Shortly after, ransomware group Stormous announced that it will use Python-based ransomware in its attacks.
Talos’ latest findings show that the two groups have teamed up to not only target a wide range of industries, but also launch an updated version of GhostLocker in November 2023 and launch a new RaaS program in 2024 called STMX_GhostLocker.
“The new program consists of three categories of services for affiliates: paid, free and another for individuals without a program who just want to sell or publish data on their blog (PYV service),” Raghuprasad explained.
STMX_GhostLocker, which has its own leak site on the dark web, lists no fewer than six victims from India, Uzbekistan, Indonesia, Poland, Thailand and Argentina.
GhostLocker 2.0 (also known as GhostLocker V2) is written in Go and has been advertised as fully effective and capable of offering fast encryption/decryption capabilities. It also comes with a renewed ransom note urging victims to contact them within seven days or risk having their stolen data leaked.
The RaaS scheme also allows affiliates to track their operations, monitor encryption status and payments through a web panel. They also come with a builder that allows you to configure the locker payload to your preferences, including directories to encrypt and processes and services to terminate before starting the encryption process.
Once deployed, the ransomware establishes a connection with a command and control panel (C2) and proceeds with the encryption routine, but not before killing defined processes or services and exfiltrating files corresponding to a specific list of extensions.
Talos said it discovered two new tools likely used by GhostSec to compromise legitimate sites. “One of them is the ‘GhostSec Deep Scan toolset’ to recursively scan legitimate websites, and another is a hacking tool to carry out cross-site scripting (XSS) attacks called ‘GhostPresser,’” Raghuprasad said.
GhostPresser is primarily designed to penetrate WordPress sites, allowing threat actors to change site settings, add new plugins and users, and even install new themes, demonstrating GhostSec’s commitment to evolving its arsenal.
“The group itself has claimed to have used it in attacks on victims, but we have no way to validate any of these claims. This tool would likely be used by ransomware operators for a variety of reasons,” Talos told Hacker News.
“The deep scan tool could be exploited to look for ways into victims’ networks, and the GhostPresser tool, in addition to compromising victims’ websites, could be used to stage payloads for distribution, if they did not want to use the actors’ infrastructure.”