GhostSec and Stormous [1] [3] [4], two cybercriminal groups, have recently collaborated to launch double extortion ransomware attacks globally.
Description
They have utilized the GhostLocker 2.0 ransomware, an enhanced version developed in Golang, which features updated ransom notes and a command-and-control (C2) panel for increased capabilities. Additionally, the groups have introduced a ransomware-as-a-service (RaaS) program called STMX_GhostLocker, offering affiliates tools like GhostSec Deep Scan and GhostPresser for website attacks [2], including website scanning and cross-site scripting (XSS) attacks. Their targets span various industries, including technology companies [1] [4], universities [1], manufacturing [1], transportation [1], and government organizations [1]. The ransomware encrypts files with the “.ghost” extension and demands payment within seven days to prevent data disclosure [1]. Affiliates have access to a C2 panel located in Moscow, Russia [4], to track their attacks and gains [4]. GhostLocker 2.0 establishes persistence by copying itself to the Windows Startup folder and communicates with the C2 server to send victim information and encryption status [4]. The attacks conducted by GhostSec and Stormous have targeted various business verticals and critical infrastructure, including Israel’s Ministry of Defense [3]. GhostSec remains active and is financially motivated [3], conducting single and double extortion attacks globally [2] [3].
Conclusion
These ransomware attacks have significant impacts on businesses and organizations, highlighting the importance of cybersecurity measures and incident response plans. It is crucial for entities to implement strong security protocols, regularly update software, and educate employees on cybersecurity best practices to mitigate the risk of falling victim to such attacks. The collaboration between GhostSec and Stormous sets a concerning precedent for future cyber threats, emphasizing the need for enhanced cybersecurity defenses and international cooperation to combat cybercrime effectively.
References
[1] https://www.nouvelles-du-monde.com/ghostlocker-2-0-hante-les-entreprises-du-moyen-orient-dafrique-et-dasie/
[2] https://ciso2ciso.com/ghostsec-evolves-with-website-compromise-tools-source-www-infosecurity-magazine-com/
[3] https://www.cyberreport.io/news/ghostsec-s-joint-ransomware-operation-and-evolution-of-their-arsenal?article=90636
[4] https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/
