A cybercriminal group called GhostSec is linked to the Golang variant of a ransomware family called “GhostSec” Ghost Locker.
“TheGhostSec and Stormous ransomware groups are teaming up to conduct dual ransomware attacks against various industry verticals in multiple countries,” Cisco Talos researcher Chetan Raghuprasad said in a report shared with The Hacker News.
“GhostLocker and Stormous ransomware have launched a new ransomware-as-a-service (RaaS) program, STMX_GhostLocker, offering various options to their affiliates.”
Attacks launched by the group targeted victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkey, Egypt, Vietnam, Thailand, and Indonesia.
Some of the most affected verticals include technology, education, manufacturing, government, transportation, energy, forensics, real estate, and telecommunications.
GhostSec – not to be confused with Ghost Security Group (also known as GhostSec) – is part of the “Big Five” alliance, which also includes ThreatSec, Stormous, Blackforums and SiegedSec.
It was founded in August 2023 to “build better unity and connections for everyone in the internet underworld, and expand and grow our work and operations.”
Late last year, the cybercriminal group ventured into ransomware-as-a-service (RaaS) through GhostLocker, offering the service to other actors for $269.99 per month. Soon after, the Stormous ransomware group announced that it would use Python-based ransomware in its attacks.
Talos’ latest findings show that the two groups have joined forces to not only attack a wide range of areas, but also released an updated version of GhostLocker in November 2023 and launched a new RaaS initiative called STMX_GhostLocker in 2024.
Raghuprasad explains: “The new program consists of three categories of services for affiliates: paid services, free services, and another category for individuals who don’t have a plan but just want to sell or publish material on their blog (PYV Serve) .”
STMX_GhostLocker has its own leak site on the dark web, which lists no fewer than six victims from India, Uzbekistan, Indonesia, Poland, Thailand and Argentina.
GhostLocker 2.0 (aka GhostLocker V2) is written in Go and is advertised as being fully effective and providing fast encryption/decryption capabilities. It also comes with a modified ransom note urging victims to contact them within seven days or risk having their stolen data leaked.
The RaaS program also allows affiliates to track their operations, monitor encryption status and payments through a web panel. They are also provided with a builder to configure the locker payload to their liking, including which directories to encrypt and which processes and services to terminate before starting the encryption process.
Once deployed, the ransomware establishes a connection to the command and control (C2) panel and proceeds with the encryption routine, but not before killing defined processes or services and stealing files matching a specific list of extensions.
Talos said it discovered two new tools that GhostSec may be using to compromise legitimate websites. “One of them is the ‘GhostSec Deep Scanning Toolset,’ which is used to recursively scan legitimate websites, and the other is a hacking tool called ‘GhostPresser’ that performs cross-site scripting (XSS) attacks,” Raghuprasad said.
The primary purpose of GhostPresser is to compromise WordPress sites, allowing threat actors to change site settings, add new plugins and users, and even install new themes, demonstrating GhostSec’s commitment to growing its arsenal.
“The group themselves claim they use it to attack victims, but we don’t have any way to verify these claims. Ransomware operators could use this tool for a number of reasons,” Talos told The Hacker News.
“Deep scanning tools can be used to find ways into a victim’s network, and GhostPresser tools, in addition to compromising the victim’s website, can also be used to stage payloads for distribution if they don’t want to use the attacker’s infrastructure.”
from Tech Empire Solutions https://techempiresolutions.com/ghostsec-and-stormous-jointly-launch-ransomware-attacks-in-more-than-15-countries/
via https://techempiresolutions.com/
No comments:
Post a Comment