GhostLocker 2.0 Haunts Companies Throughout Center East, Africa & Asia

GhostLocker 2.0 Haunts Businesses Across Middle East, Africa & Asia

Cybercriminals have developed an enhanced model of the notorious GhostLocker ransomware that they’re deploying in assaults throughout the Center East, Africa, and Asia.

Two ransomware teams, GhostSec and Stormous, have joined forces within the assault campaigns with double-extortion ransomware assaults utilizing the brand new GhostLocker 2.0 to contaminate organizations in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand, in addition to different places.

Know-how corporations, universities, manufacturing, transportation, and authorities organizations are bearing the brunt of assaults, which try and rip-off victims into paying for decryption keys wanted to unscramble knowledge that was rendered inaccessible by the file-encrypting malware. The attackers additionally threaten to launch the stolen delicate knowledge until the victims pay them hush cash, in line with researchers at Cisco Talos, who found the brand new malware and cyberattack marketing campaign.

RaaS al Ghoul

Each the GhostLocker and Stormous ransomware teams have launched a revised ransomware-as-a-service (RaaS) program known as STMX_GhostLocker, offering varied choices for his or her associates.

The GhostSec and Stormous teams introduced their knowledge theft of their Telegram channels and on the Stormous ransomware knowledge leak web site.

In a technical weblog put up this week, Cisco Talos mentioned GhostSec is attacking Israel’s Industrial methods, essential infrastructure, and know-how corporations. Supposed victims embody the Israeli Ministry of Protection, however the motives of the group look like primarily profit-driven and never for kinetic sabotage functions.

Chats within the group’s Telegram channel counsel the group is motivated (at the very least partly) by a need to lift funds for hacktivists and menace actors. The group’s chosen moniker GhostSec resembles that of well-known hacktivist crew Ghost Safety Group, an outfit identified for concentrating on pro-ISIS web sites and different cyberattacks, however any connection stays unconfirmed.

The Stormous gang added the GhostLocker ransomware program to its present StormousX program following a profitable joint operation in opposition to Cuban ministries final July.

XSS Marks the Spot

GhostSec seems to be conducting assaults in opposition to company web sites, together with a nationwide railway operator in Indonesia and a Canadian power provider. Cisco Talos experiences that the group could also be utilizing its GhostPresser instrument along with cross-site scripting (XSS) assaults in opposition to susceptible web sites.

The ransomware kingpins are providing a newly-developed GhostSec deep scan toolset that would-be attackers can use to scan the web sites of their potential targets.

The Python-based utility comprises placeholders to carry out particular features together with the potential capacity to scan for particular vulnerabilities (by CVE numbers) on focused web sites. The promised performance signifies “GhostSec’s steady evolution of instruments of their arsenal,” in line with Cisco Talos. Safety researchers report that the malware’s builders are referencing “ongoing work” on “GhostLocker v3” of their chats.

Ghost within the Shell

GhostLocker 2.0 encrypts information on the sufferer’s machine utilizing the file extension .ghost earlier than dropping and opening a ransom word. Potential marks warn that stolen knowledge can be leaked until they contact ransomware operators earlier than a seven-day deadline expires.

GhostLocker ransomware-as-a-service associates have entry to a management panel that permits them to watch the progress of their assaults, that are routinely registered on the dashboard. The GhostLocker 2.0 command-and-control server resolves with a geolocation in Moscow, an analogous set-up to earlier variations of the ransomware.

Paying associates achieve entry to a ransomware builder that may be configured with varied choices, together with the goal listing for encryption. Builders have configured the ransomware to exfiltrate and encrypt the information which have file extensions .doc, .docx, .xls and .xlsx (I.e Phrase-created doc file and spreadsheets).

The most recent model of GhostLocker was written within the GoLang programming language, in contrast to the earlier model, which was developed utilizing Python. The performance stays related, nevertheless, in line with Cisco Talos. One distinction within the new model: it doubles the encryption key size from 128- to 256 bits.

Notify of
Inline Feedbacks
View all comments
Previous Post
ChatGPT Credentials

Over 225,000 Compromised ChatGPT Credentials Up for Sale on Darkish Internet Markets

Next Post
Navigating Biometric Data Security Risks in the Digital Age

Navigating Biometric Information Safety Dangers within the Digital Age

Related Posts