GhostLocker 2.0 Haunts Businesses Across Middle East, Africa & Asia

9 months ago 36
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Ransomware text with a skeleton face

Source: Zoonar GmbH via Alamy

Cybercriminals have developed an enhanced version of the infamous GhostLocker ransomware that they are deploying in attacks across the Middle East, Africa, and Asia.

Two ransomware groups, GhostSec and Stormous, have joined forces in the attack campaigns with double-extortion ransomware attacks using the new GhostLocker 2.0 to infect organizations in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand, as well as other locations.

Technology companies, universities, manufacturing, transportation, and government organizations are bearing the brunt of attacks, which attempt to scam victims into paying for decryption keys needed to unscramble data that was rendered inaccessible by the file-encrypting malware. The attackers also threaten to release the stolen sensitive data unless the victims pay them hush money, according to researchers at Cisco Talos, who discovered the new malware and cyberattack campaign.

RaaS al Ghoul

Both the GhostLocker and Stormous ransomware groups have introduced a revised ransomware-as-a-service (RaaS) program called STMX_GhostLocker, providing various options for their affiliates.

The GhostSec and Stormous groups announced their data theft in their Telegram channels and on the Stormous ransomware data leak site.

In a technical blog post this week, Cisco Talos said GhostSec is attacking Israel’s Industrial systems, critical infrastructure, and technology companies. Supposed victims include the Israeli Ministry of Defense, but the motives of the group appear to be primarily profit-driven and not for kinetic sabotage purposes.

Chats in the group's Telegram channel suggest the group is motivated (at least in part) by a desire to raise funds for hacktivists and threat actors. The group's chosen moniker GhostSec resembles that of well-known hacktivist crew Ghost Security Group, an outfit known for targeting pro-ISIS websites and other cyberattacks, but any connection remains unconfirmed.

The Stormous gang added the GhostLocker ransomware program to its existing StormousX program following a successful joint operation against Cuban ministries last July.

XSS Marks the Spot

GhostSec appears to be conducting attacks against corporate websites, including a national railway operator in Indonesia and a Canadian energy supplier. Cisco Talos reports that the group may be using its GhostPresser tool in conjunction with cross-site scripting (XSS) attacks against vulnerable websites.

The ransomware kingpins are offering a newly-developed GhostSec deep scan toolset that would-be attackers can use to scan the websites of their potential targets.

The Python-based utility contains placeholders to perform specific functions including the potential ability to scan for specific vulnerabilities (by CVE numbers) on targeted websites. The promised functionality indicates "GhostSec's continuous evolution of tools in their arsenal," according to Cisco Talos. Security researchers report that the malware's developers are referencing "ongoing work" on "GhostLocker v3" in their chats.

Ghost in the Shell

GhostLocker 2.0 encrypts files on the victim's machine using the file extension .ghost before dropping and opening a ransom note. Prospective marks warn that stolen data will be leaked unless they contact ransomware operators before a seven-day deadline expires.

GhostLocker ransomware-as-a-service affiliates have access to a control panel that allows them to monitor the progress of their attacks, which are automatically registered on the dashboard. The GhostLocker 2.0 command-and-control server resolves with a geolocation in Moscow, a similar set-up to earlier versions of the ransomware.

Paying affiliates gain access to a ransomware builder that can be configured with various options, including the target directory for encryption. Developers have configured the ransomware to exfiltrate and encrypt the files that have file extensions .doc, .docx, .xls and .xlsx (I.e Word-created document file and spreadsheets).

The latest version of GhostLocker was written in the GoLang programming language, unlike the previous version, which was developed using Python. The functionality remains similar, however, according to Cisco Talos. One difference in the new version: it doubles the encryption key length from 128- to 256 bits.

Read Entire Article