Skip to content Skip to footer

GhostSec and Stormous Ransomware Groups Conduct Double Extortion Attacks

In the world of cybercrime, the group known as GhostSec has emerged as a significant threat, with its latest activities being linked to a variant of the GhostLocker family, written in Golang. Researchers at Cisco Talos have reported that GhostSec and another group called Stormous are conducting double extortion attacks on various business verticals in multiple countries. The attackers have targeted victims in countries such as Cuba, Argentina, Poland, , Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia, with some of the most impacted business verticals being technology, education, manufacturing, , transportation, energy, medicolegal, real estate, and telecom.

GhostSec is part of a coalition called The Five Families, which includes ThreatSec, Stormous, Blackforums, and SiegedSec. The group was formed in August 2023 to establish better unity and connections for everyone in the underground world of the internet and to expand and grow their work and operations. Late last year, GhostSec ventured into -as-a-service (RaaS) with GhostLocker, offering it to other actors for $269.99 monthly. Soon after, the Stormous group announced it would use Python-based in its attacks.

The latest findings from Talos suggest that the two groups have joined forces to unleash an updated version of GhostLocker in November 2023 and start a new RaaS program called STMX_GhostLocker in 2024. The new program comprises three categories of services for the affiliates: paid and accessible, and another for those without a program who only want to sell or publish data on their blog (PYV service). STMX_GhostLocker has its leak site on the dark and lists at least six victims from India, Uzbekistan, Indonesia, Poland, Thailand, and Argentina.

GhostLocker 2.0 (aka GhostLocker V2) is written in Go and has been advertised as fully effective and offering speedy encryption/decryption capabilities. The comes with a revamped ransom note that urges victims to contact the attackers within seven days or risk getting their stolen data leaked. The RaaS scheme also allows affiliates to track their operations and monitor encryption status and payments through a web panel. They are also provided with a builder that makes it possible to configure the locker payload according to their preferences, including the directories to encrypt and the processes and services to be terminated before commencing the encryption process.

Talos has also discovered two new tools likely used by GhostSec to compromise legitimate sites. “One of them is the ‘GhostSec Deep Scan toolset' to scan legitimate websites recursively, and another is a hack tool to perform cross-site scripting (XSS) attacks called ‘GhostPresser,'” said Chetan Raghuprasad, a researcher at Cisco Talos. GhostPresser is mainly designed to break into WordPress sites, allowing the threat actors to alter site settings, add new plugins and users, and even install new themes, demonstrating GhostSec's commitment to evolving its arsenal.

According to Talos, the deep scan tool could be leveraged to find ways to enter victim networks. The GhostPresser tool, in addition to compromising victim websites, could be used to stage payloads for distribution if the attackers do not want to use actor infrastructure. While the group has claimed to have used the tooling in attacks on victims, there is no way to validate any of those claims. Despite this, it is clear that GhostSec and Stormous are serious about their operations and are continuously evolving and expanding their capabilities, making them a significant threat to businesses and organizations worldwide.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Dade: What is it with this guy?
- Phreak: His parents missed Woodstock, and he's been making up for it since.
Dade & Phreak

Deitasoft © 2024. All Rights Reserved.