Cybercriminals have developed an improved version of the infamous GhostLocker ransomware that they are employing in attacks across the Middle East, Africa and Asia.
Two ransomware groups, GhostSec and Stormous, have joined forces in attack campaigns with double-extortion ransomware attacks using the new GhostLocker 2.0 to infect organizations including in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam and Thailand. like other locations.
Technology companies, universities, manufacturing, transportation and government organizations are bearing the brunt of the attacks, which attempt to trick victims into paying for the decryption keys needed to decode data made inaccessible by file-encrypting malware. The attackers also threaten to release the stolen sensitive data unless victims pay them hush money, according to researchers at Cisco Talos, who discovered the new campaign of malware and cyberattacks.
RaaS al-Ghoul
Both ransomware groups GhostLocker and Stormous have introduced a revised ransomware-as-a-service (RaaS) program called STMX_GhostLocker, providing various options for their affiliates.
The GhostSec and Stormous groups announced the data theft on their Telegram channels and on the Stormous ransomware data leak site.
In a technical blog post this week, Cisco Talos claimed that GhostSec is attacking Israel’s industrial systems, critical infrastructure, and technology companies. The alleged victims include the Israeli Ministry of Defense, but the group’s motivations appear to be primarily profit-oriented and not for the purposes of kinetic sabotage.
Chats in the group’s Telegram channel suggest that the group is motivated (at least in part) by a desire to raise money for hacktivists and threat actors. The nickname chosen by the group, GhostSec, resembles that of the well-known hacktivist group Ghost Security Group, a group known for targeting websites of pro-Islamic State groups and other cyber attacksbut any connection remains unconfirmed.
The Stormous gang added the GhostLocker ransomware program to its already existing StormousX program following a successful joint operation against Cuban ministries last July.
XSS marks the point
GhostSec appears to be conducting attacks against corporate websites, including a national rail operator in Indonesia and a Canadian energy provider. Cisco Talos reports that the group may be using its GhostPresser tool in conjunction with cross-site scripting (XSS) attacks against vulnerable websites.
Ransomware bosses offer a newly developed set of GhostSec deep scanning tools that would-be attackers can use to scan the websites of their potential targets.
The Python-based utility contains placeholders to perform specific functions, including the potential ability to scan for specific vulnerabilities (via CVE numbers) on targeted websites. The promised functionality indicates GhostSec’s “continuously evolving tools in its arsenal,” according to Cisco Talos. Security researchers report that the malware’s developers refer to “work in progress” on “GhostLocker v3” in their chats.
Ghost in the shell
GhostLocker 2.0 encrypts files on the victim’s computer using the file extension .ghost before releasing and opening a ransom note. Potential flags warn that the stolen data will be disclosed unless they contact the ransomware operators before the seven-day deadline expires.
GhostLocker ransomware-as-a-service affiliates have access to a control panel that allows them to monitor the progress of their attacks, which are automatically logged on the dashboard. The GhostLocker 2.0 command and control server resolves with a geolocation in Moscow, a similar setup to previous versions of the ransomware.
Paid affiliates get access to a ransomware generator that can be configured with various options, including the target directory for encryption. Developers configured the ransomware to extract and encrypt files with .doc, .docx, .xls, and .xlsx extensions (i.e., document and spreadsheet files created by Word).
The latest version of GhostLocker was written in the GoLang programming language, unlike the previous version, which was developed using Python. The functionality remains similar, however, according to Cisco Talos. One difference in the new version: it doubles the length of the encryption key from 128 to 256 bits.