Cybercriminals have recently unveiled an upgraded iteration of the notorious GhostLocker ransomware, unleashing it upon the Middle East, Africa, and Asia in a series of targeted attacks. This enhanced version, dubbed GhostLocker 2.0, is the product of a collaboration between two ransomware groups, GhostSec and Stormous, who have united forces to carry out double-extortion ransomware assaults on organizations in various countries including Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand.

The primary targets of these attacks encompass a wide range of sectors such as technology companies, universities, manufacturing, transportation, and government entities. The modus operandi involves coercing victims into paying for decryption keys essential for unlocking data encrypted by the malicious software. Moreover, the cybercriminals also employ the tactic of threatening to expose sensitive data pilfered from their victims unless a ransom is paid, as disclosed by researchers at Cisco Talos who detected the new malware and associated cyberattack campaign.

The GhostLocker and Stormous ransomware factions have introduced a revamped ransomware-as-a-service (RaaS) program known as STMX_GhostLocker, offering a variety of options for their affiliates to capitalize on the illicit scheme. Notably, GhostSec has been identified as the instigator of attacks against Israel’s industrial infrastructure, critical systems, and tech establishments, with instances of targeting the Israeli Ministry of Defense coming to light. Although the group’s motives seem primarily profit-driven rather than fueled by malicious intent for sabotage, their purported ties to hacktivist and threat actor fundraising remain speculative.

On the other hand, the Stormous gang has integrated the GhostLocker ransomware into its existing StormousX program following a successful joint operation against Cuban ministries last year, showcasing the evolution of cyber threats as cyberattackers aim their sights at corporate websites. GhostSec’s offensive maneuvers have been observed targeting corporate websites, including a national railway operator in Indonesia and a Canadian energy provider. Utilization of the GhostPresser tool in tandem with cross-site scripting (XSS) attacks against vulnerable websites has been reported by Cisco Talos, underscoring the methodical approach adopted by these cyber malefactors.

These cyber malefactors employ a newly developed GhostSec deep-scan toolset to probe the websites of potential targets, leveraging the utility’s functionality to identify specific vulnerabilities by CVE numbers on the targeted websites. Security researchers have uncovered discussions referencing ongoing development on “GhostLocker v3” within the group’s communications, emphasizing the continuous evolution of their hacking tools to enhance their operations.

GhostLocker 2.0 stands out for its encryption capability, locking files on the victim’s system with the extension .ghost and issuing a ransom note warning of data leaks unless the ransomware operators are contacted within a seven-day window. Affiliates of the GhostLocker ransomware-as-a-service are equipped with a control panel to monitor their attack progress within a geolocation traced back to Moscow. The latest iteration of GhostLocker has transitioned from Python to GoLang programming language, while boosting encryption key length from 128 to 256 bits to heighten data security measures.

In summary, the emergence of GhostLocker 2.0 marks a significant advancement in the cyber threat landscape, underscoring the continuously evolving tactics deployed by cybercriminals to extort victims and compromise sensitive data across international borders. The need for heightened cybersecurity measures and vigilance is paramount as organizations seek to fortify their defenses against the ever-growing menace of ransomware attacks.

Source link