Cybercrime group GhostSec linked to GhostLocker ransomware variant

One sentence summary – The cybercrime group GhostSec has been linked to the Golang variant of ransomware called GhostLocker, conducting double extortion attacks on victims in various countries and business verticals as part of The Five Families coalition.

At a glance

  • Cybercrime group GhostSec linked to Golang variant of ransomware called GhostLocker
  • Double extortion ransomware attacks conducted by GhostSec and Stormous
  • Attacks targeted victims in multiple countries and various business verticals
  • GhostSec is part of The Five Families coalition formed in August 2023
  • GhostSec offers GhostLocker through Ransomware-as-a-Service model and has developed GhostLocker 2.0 in Go

The details

A cybercrime group known as GhostSec has been linked to a Golang variant of ransomware called GhostLocker.

The group, along with another ransomware group called Stormous, has been conducting double extortion ransomware attacks.

These attacks have targeted victims in multiple countries, including Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia.

The impacted business verticals include technology, education, manufacturing, government, transportation, energy, medicolegal, real estate, and telecom.

The Five Families Coalition

GhostSec is part of a coalition called The Five Families, which also includes ThreatSec, Stormous, Blackforums, and SiegedSec.

The group was formed in August 2023 to establish unity in the underground internet world.

Ransomware-as-a-Service Model

GhostSec ventured into the Ransomware-as-a-Service (RaaS) model with GhostLocker, offering it for $269.99 per month.

The Stormous ransomware group has announced the use of Python-based ransomware.

GhostLocker was updated in November 2023, and a new RaaS program called STMX_GhostLocker was started in 2024. STMX_GhostLocker offers three categories of services for affiliates: paid, free, and PYV service.

GhostLocker 2.0, written in Go, offers speedy encryption/decryption capabilities.

The ransom note from these attacks urges victims to contact within seven days or risk data leaks.

The RaaS scheme allows affiliates to track operations, monitor encryption status, and receive payments.

Affiliates are provided with a builder to configure the locker payload according to their preferences.

The ransomware establishes a connection with a Command and Control (C2) panel, encrypting files after exfiltrating specific extensions.

Two new tools, GhostSec Deep Scan toolset and GhostPresser, are likely used by GhostSec to compromise legitimate sites.

GhostPresser is designed to break into WordPress sites, alter settings, add plugins and users, and install themes.

GhostSec claims to have used these tools in attacks, likely for compromising victim networks and staging payloads.

What's your reaction?

In Love
Not Sure

You may also like

Comments are closed.