GhostLocker 2.0 Haunts Businesses Across Middle East, Africa & Asia

We Keep you Connected

GhostLocker 2.0 Haunts Businesses Across Middle East, Africa & Asia

Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.
Ransomware cybercrime gangs GhostSec and Stormous have teamed up in widespread double-extortion attacks.
March 5, 2024
Cybercriminals have developed an enhanced version of the infamous GhostLocker ransomware that they are deploying in attacks across the Middle East, Africa, and Asia.
Two ransomware groups, GhostSec and Stormous, have joined forces in the attack campaigns with double-extortion ransomware attacks using the new GhostLocker 2.0 to infect organizations in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand, as well as other locations.
Technology companies, universities, manufacturing, transportation, and government organizations are bearing the brunt of attacks, which attempt to scam victims into paying for decryption keys needed to unscramble data that was rendered inaccessible by the file-encrypting malware. The attackers also threaten to release the stolen sensitive data unless the victims pay them hush money, according to researchers at Cisco Talos, who discovered the new malware and cyberattack campaign.

Both the GhostLocker and Stormous ransomware groups have introduced a revised ransomware-as-a-service (RaaS) program called STMX_GhostLocker, providing various options for their affiliates.
The GhostSec and Stormous groups announced their data theft in their Telegram channels and on the Stormous ransomware data-leak site.
In a technical blog post this week, Cisco Talos said GhostSec is attacking Israel's industrial systems, critical infrastructure, and technology companies. Supposed victims include the Israeli Ministry of Defense, but the motives of the group appear to be primarily profit-driven and not for kinetic sabotage purposes.
Chats in the group's Telegram channel suggest the group is motivated (at least in part) by a desire to raise funds for hacktivists and threat actors. The group's chosen moniker GhostSec resembles that of well-known hacktivist crew Ghost Security Group, an outfit known for targeting pro-Islamic State group websites and other cyberattacks, but any connection remains unconfirmed.
The Stormous gang added the GhostLocker ransomware program to its existing StormousX program following a successful joint operation against Cuban ministries last July.

GhostSec appears to be conducting attacks against corporate websites, including a national railway operator in Indonesia and a Canadian energy supplier. Cisco Talos reports that the group may be using its GhostPresser tool in conjunction with cross-site scripting (XSS) attacks against vulnerable websites.
The ransomware kingpins are offering a newly developed GhostSec deep-scan tool set that would-be attackers can use to scan the websites of their potential targets.
The Python-based utility contains placeholders to perform specific functions including the potential ability to scan for specific vulnerabilities (by CVE numbers) on targeted websites. The promised functionality indicates "GhostSec's continuous evolution of tools in their arsenal," according to Cisco Talos. Security researchers report that the malware's developers are referencing "ongoing work" on "GhostLocker v3" in their chats.

GhostLocker 2.0 encrypts files on the victim's machine using the file extension .ghost before dropping and opening a ransom note. Prospective marks warn that stolen data will be leaked unless they contact ransomware operators before a seven-day deadline expires.
GhostLocker ransomware-as-a-service affiliates have access to a control panel that allows them to monitor the progress of their attacks, which are automatically registered on the dashboard. The GhostLocker 2.0 command-and-control server resolves with a geolocation in Moscow, a similar setup to earlier versions of the ransomware.
Paying affiliates gain access to a ransomware builder that can be configured with various options, including the target directory for encryption. Developers have configured the ransomware to exfiltrate and encrypt the files that have file extensions .doc, .docx, .xls, and .xlsx (i.e., Word-created document file and spreadsheets).
The latest version of GhostLocker was written in the GoLang programming language, unlike the previous version, which was developed using Python. The functionality remains similar, however, according to Cisco Talos. One difference in the new version: It doubles the encryption key length from 128 to 256 bits.

So how can you defend against this attack campaign? Cisco recommends building defense-in-depth security in order to more readily detect an attack; referring to the group's TTPs; and updating detection signatures for GhostLocker ransomware's newest version.
"GhostSec group is also known to conduct DoS and attack victim's websites, [so] organizations should … implement layered defense with demilitarized zones [DMZs] for their Web servers to function, isolating those public-facing systems," Cisco said in a statement to Dark Reading.
Meanwhile, Cisco noted that it's unclear how successful the latest GhostLocker attacks have been.
"At this point we do not have any indication on how many potential victims are impacted. There was some data visible on the leak site, but it's difficult to say if that's a true number or how much money they paid, if any," according to the statement.
Read more about:
John Leyden, Contributing Writer
Contributing Writer
John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Enterprise Cybersecurity Plans in a Post-Pandemic World
SANS 2021 Cloud Security Survey
Cheat Sheet – 5 Strategic Security Checkpoints
Demystifying Zero Trust in OT
Strengthen Microsoft Defender with MDR
Stopping Active Adversaries: Lessons from the Cyber Frontline
2023 Software Supply Chain Attack Report
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.