Cybercriminals have launched a new version of the GhostLocker ransomware, known as GhostLocker 2.0, targeting organizations across the Middle East, Africa, and Asia. The perpetrators behind this ransomware campaign, GhostSec and Stormous, have combined their efforts to carry out double-extortion ransomware attacks on various entities in countries such as Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand.
The sectors most affected by these attacks include technology companies, universities, manufacturing, transportation, and government organizations. The primary goal of the attackers is to extort money from their victims by encrypting their data and demanding payment for decryption keys. Additionally, they threaten to leak sensitive information unless the ransom is paid, as reported by researchers from Cisco Talos who uncovered the new malware and cyberattack operation.
Furthermore, both GhostSec and Stormous have launched a new ransomware-as-a-service (RaaS) program called STMX_GhostLocker, providing affiliates with various options to conduct attacks. The groups have publicized their data theft on Telegram channels and the Stormous ransomware data leak site.
In a technical analysis by Cisco Talos, it was revealed that GhostSec is targeting industrial systems, critical infrastructure, and technology companies in Israel. The group’s activities raise concerns about potential profit-driven motives rather than kinetic sabotage. Discussions in the group’s Telegram channel indicate a fundraising objective for hacktivists and threat actors, although any ties to other hacktivist groups remain unverified.
Stormous has integrated the GhostLocker ransomware program into its existing StormousX platform following a successful operation against Cuban ministries last year. GhostSec, on the other hand, has been observed attacking corporate websites, including a national railway operator in Indonesia and a Canadian energy provider. According to Cisco Talos, GhostSec may be employing the GhostPresser tool in conjunction with cross-site scripting (XSS) attacks on vulnerable websites.
The ransomware operators are now offering a new deep scan toolset called GhostSec, which enables potential attackers to identify security vulnerabilities in target websites. This Python-based utility demonstrates GhostSec’s continuous enhancement of their hacking tools and suggests ongoing development of “GhostLocker v3” in their communications.
GhostLocker 2.0 operates by encrypting files on the victim’s device with the file extension “.ghost” and then displaying a ransom note. To prevent data leakage, victims are urged to contact the ransomware operators within seven days. Affiliates of the GhostLocker ransomware-as-a-service program have access to a control panel to monitor their attacks, which are logged automatically. The command-and-control server for GhostLocker 2.0 is geolocated in Moscow, similar to previous versions.
Affiliates who pay for the ransomware builder can customize various options, including the target directory for encryption. The ransomware is designed to extract and encrypt files with extensions such as .doc, .docx, .xls, and .xlsx. Unlike the previous version developed in Python, the latest iteration of GhostLocker is coded in GoLang, with the encryption key length increased to 256 bits from 128 bits.
In conclusion, the emergence of GhostLocker 2.0 signifies the evolving tactics of cybercriminals in deploying ransomware attacks across multiple regions. Organizations must remain vigilant and implement robust cybersecurity measures to safeguard their data and systems from such malicious threats.