The cybercrime group called GhostSec has been joined to a Golang variant of a ransomware family referred to as GhostLocker.
“TheGhostSec and Stormous ransomware teams are jointly conducting double extortion ransomware attacks on many business verticals in several nations around the world,” Cisco Talos researcher Chetan Raghuprasad explained in a report shared with The Hacker News.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“GhostLocker and Stormous ransomware have began a new ransomware-as-a-provider (RaaS) program STMX_GhostLocker, supplying various possibilities for their affiliates.”
Attacks mounted by the group have focused victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia.
Some of the most impacted organization verticals involve technology, education, manufacturing, govt, transportation, electrical power, medicolegal, serious estate, and telecom.
GhostSec – not to be puzzled with Ghost Security Team (which is also named GhostSec) – is part of a coalition referred to as The Five Households, which also features ThreatSec, Stormous, Blackforums, and SiegedSec.
It was fashioned in August 2023 to “establish better unity and connections for absolutely everyone in the underground planet of the internet, to develop and develop our work and operations.”
Late final calendar year, the cybercrime group ventured into ransomware-as-a-assistance (RaaS) with GhostLocker, providing it to other actors for $269.99 for every thirty day period. Quickly immediately after, the Stormous ransomware group declared that it will use Python-based ransomware in its attacks.
The most recent conclusions from Talos clearly show that the two teams have banded together to not only strike a broad vary of sectors, but also unleash an current version of GhostLocker in November 2023 as perfectly as get started a new RaaS application in 2024 called STMX_GhostLocker.
“The new system is made up of three classes of services for the affiliate marketers: compensated, cost-free, and yet another for the people with no a application who only want to promote or publish facts on their blog site (PYV service),” Raghuprasad spelled out.
STMX_GhostLocker, which comes with its have leak web site on the dark web, lists no fewer than 6 victims from India, Uzbekistan, Indonesia, Poland, Thailand, and Argentina.
GhostLocker 2. (aka GhostLocker V2) is written in Go and has been advertised as entirely productive and featuring fast encryption/decryption capabilities. It also will come with a revamped ransom notice that urges victims to get in touch with them in just 7 days or risk having their stolen facts leaked.
The RaaS scheme also permits affiliates to track their functions, observe encryption standing, and payments as a result of a web panel. They are also delivered with a builder that makes it feasible to configure the locker payload according to their choices, which includes the directories to encrypt and the procedures and expert services to be terminated just before commencing the encryption course of action.
When deployed, the ransomware establishes link with a command-and-command (C2) panel and proceeds with encryption program, but not prior to killing the defined procedures or providers and exfiltrating documents matching a distinct list of extensions.
Talos stated it discovered two new tools possible employed by GhostSec to compromise reputable websites. “1 of them is the ‘GhostSec Deep Scan toolset’ to scan respectable internet websites recursively, and an additional is a hack software to conduct cross-web-site scripting (XSS) attacks referred to as “GhostPresser,'” Raghuprasad said.
GhostPresser is predominantly designed to split into WordPress internet sites, allowing the menace actors to alter site settings, add new plugins and consumers, and even set up new themes, demonstrating GhostSec’s dedication to evolving its arsenal.
“The group them selves has claimed they have used it in attacks on victims, but we do not have any way to validate any of all those statements. This tooling would probably be used by the ransomware operators for a variety of reasons,” Talos informed The Hacker Information.
“The deep scan instrument could be leveraged to search for methods into victim networks and the GhostPresser instrument, in addition to compromising victim web sites, could be employed to phase payloads for distribution, if they failed to want to use actor infrastructure.”
Uncovered this write-up intriguing? Follow us on Twitter and LinkedIn to read through far more exclusive content material we publish.
Some components of this post are sourced from:
thehackernews.com