GhostSec and Stormous Launch Joint Ransomware Assaults in Over 15 Nations

GhostSec and Stormous Launch Joint Ransomware Attacks in Over 15 Countries

The cybercrime group referred to as GhostSec has been linked to a Golang variant of a ransomware household referred to as GhostLocker.

“TheGhostSec and Stormous ransomware teams are collectively conducting double extortion ransomware assaults on varied enterprise verticals in a number of international locations,” Cisco Talos researcher Chetan Raghuprasad said in a report shared with The Hacker Information.

“GhostLocker and Stormous ransomware have began a brand new ransomware-as-a-service (RaaS) program STMX_GhostLocker, offering varied choices for his or her associates.”

Assaults mounted by the group have focused victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia.

A number of the most impacted enterprise verticals embody know-how, training, manufacturing, authorities, transportation, power, medicolegal, actual property, and telecom.

GhostSec – to not be confused with Ghost Security Group (which can also be referred to as GhostSec) – is a part of a coalition referred to as The Five Families, which additionally consists of ThreatSec, Stormous, Blackforums, and SiegedSec.


It was shaped in August 2023 to “set up higher unity and connections for everybody within the underground world of the web, to develop and develop our work and operations.”

Late final yr, the cybercrime group ventured into ransomware-as-a-service (RaaS) with GhostLocker, providing it to different actors for $269.99 monthly. Quickly after, the Stormous ransomware group introduced that it’s going to use Python-based ransomware in its assaults.

The newest findings from Talos present that the 2 teams have banded collectively to not solely strike a variety of sectors, but additionally unleash an up to date model of GhostLocker in November 2023 in addition to begin a brand new RaaS program in 2024 referred to as STMX_GhostLocker.

“The brand new program is made up of three classes of providers for the associates: paid, free, and one other for the people with no program who solely wish to promote or publish information on their weblog (PYV service),” Raghuprasad defined.

STMX_GhostLocker, which comes with its personal leak website on the darkish internet, lists at least six victims from India, Uzbekistan, Indonesia, Poland, Thailand, and Argentina.

GhostLocker 2.0 (aka GhostLocker V2) is written in Go and has been marketed as totally efficient and providing speedy encryption/decryption capabilities. It additionally comes with a revamped ransom be aware that urges victims to get in contact with them inside seven days or threat getting their stolen information leaked.

The RaaS scheme additionally permits associates to trace their operations, monitor encryption standing, and funds by an internet panel. They’re additionally supplied with a builder that makes it doable to configure the locker payload in line with their preferences, together with the directories to encrypt and the processes and providers to be terminated earlier than commencing the encryption course of.

As soon as deployed, the ransomware establishes reference to a command-and-control (C2) panel and proceeds with encryption routine, however not earlier than killing the outlined processes or providers and exfiltrating information matching a particular listing of extensions.


Talos mentioned it found two new instruments seemingly utilized by GhostSec to compromise legit websites. “Certainly one of them is the ‘GhostSec Deep Scan toolset’ to scan legit web sites recursively, and one other is a hack device to carry out cross-site scripting (XSS) assaults referred to as “GhostPresser,'” Raghuprasad mentioned.

GhostPresser is especially designed to interrupt into WordPress websites, permitting the menace actors to change website settings, add new plugins and customers, and even set up new themes, demonstrating GhostSec’s dedication to evolving its arsenal.

“The group themselves has claimed they’ve used it in assaults on victims, however we have no approach to validate any of these claims. This tooling would seemingly be utilized by the ransomware operators for a wide range of causes,” Talos informed The Hacker Information.

“The deep scan device could possibly be leveraged to search for methods into sufferer networks and the GhostPresser device, along with compromising sufferer web sites, could possibly be used to stage payloads for distribution, in the event that they did not wish to use actor infrastructure.”

Notify of
Inline Feedbacks
View all comments
Previous Post
New APT Group 'Lotus Bane' Behind Recent Attacks on Vietnam's Financial Entities

New APT Group ‘Lotus Bane’ Behind Latest Assaults on Vietnam’s Monetary Entities

Next Post
U.S. Cracks Down on Predatory Spyware Firm for Targeting Officials and Journalists

U.S. Cracks Down on Predatory Spyware and adware Agency for Focusing on Officers and Journalists

Related Posts