Cybercriminals across the Middle East, Africa, and Asia have unleashed a new and improved version of the notorious GhostLocker ransomware, causing havoc for organizations in various sectors such as technology, universities, manufacturing, transportation, and government entities. This upgraded ransomware, known as GhostLocker 2.0, is the result of a collaboration between two prominent ransomware groups, GhostSec and Stormous, who have joined forces to execute double-extortion ransomware attacks in countries like Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand.
The primary aim of these cyberattacks is to trick victims into paying for decryption keys that can unlock their encrypted data, as well as extorting money from them by threatening to release sensitive information if payment is not made. Researchers from Cisco Talos have uncovered this new malware strain and the cyberattack campaign, shedding light on the malicious activities of these cybercriminals targeting organizations in vulnerable regions.
Both the GhostLocker and Stormous groups have introduced a revised ransomware-as-a-service (RaaS) program, called STMX_GhostLocker, which offers various options for their affiliates to carry out attacks. The groups have publicized their data theft activities on Telegram channels and the Stormous ransomware data-leak site, indicating a brazen approach to their criminal endeavors.
In a technical blog post by Cisco Talos, it was revealed that GhostSec is specifically targeting Israel’s industrial systems, critical infrastructure, and technology companies, with the Israeli Ministry of Defense being among the affected organizations. Despite speculations about political motivations, the primary drive behind these attacks appears to be financial gain rather than acts of sabotage.
Moreover, the Stormous gang has incorporated the GhostLocker ransomware program into its existing operations following a successful joint campaign against Cuban ministries in the past year. The GhostSec group has also expanded its scope to include attacks on corporate websites, such as a national railway operator in Indonesia and a Canadian energy supplier, utilizing tools like GhostPresser and XSS attacks to breach vulnerable sites.
Additionally, the cybercriminals behind GhostLocker 2.0 have designed a sophisticated ransomware infrastructure with a control panel that enables affiliates to track their attacks and monitor progress. Affiliates who comply with ransom demands gain access to a ransomware builder that allows customization of encryption settings, including targeting specific file types like .doc and .xls documents for encryption and exfiltration.
Notably, GhostLocker 2.0 has been upgraded to utilize the GoLang programming language, enhancing its capabilities with a doubled encryption key length of 256 bits compared to its predecessor. This technical evolution reflects the continuous development and adaptability of cybercriminal tactics to evade detection and maximize profits from their illicit activities.
In the face of escalating cyber threats from ransomware groups like GhostSec and Stormous, organizations and individuals are urged to strengthen their cybersecurity defenses, remain vigilant against phishing attempts, and regularly update their systems to mitigate the risk of falling victim to ransomware attacks. As the battle against cybercriminals intensifies, collaboration between cybersecurity experts, law enforcement agencies, and governments is essential to combatting this growing menace in the digital landscape.