GhostLocker & Stormous: Ransomware Duo Wreaks Havoc

The international cybercriminal syndicate GhostSec, implicated in the creation and dissemination of ransomware named GhostLocker, is rapidly expanding the scope of its malevolent operations, encroaching upon an increasing number of countries.

According to a recent report by Cisco Talos, GhostSec, in collaboration with Stormous, another cybercriminal group, orchestrates attacks employing a “double extortion” tactic, affecting diverse business sectors worldwide.

In November 2023, the groups updated the GhostLocker ransomware to version 2.0, rendering it even more potent and perilous. This year, they launched a new RaaS (Ransomware-as-a-Service) program called STMX_GhostLocker.

Stmx_GhostLocker non-member affiliate working model

The RaaS distribution scheme enables affiliates to monitor their operations via a web panel and tailor the ransomware’s behavior to their preferences.

The victim countries, that have suffered from the joint activities of these groups, include Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkey, Egypt, Vietnam, Thailand, and Indonesia.

The industries most affected by these attacks are information technology, education, manufacturing, government sector, transportation, energy, healthcare, real estate, and telecommunications.

This diversity of victims is easily attributable to the RaaS distribution scheme, as subscriptions to the malicious toolkit can be purchased by hundreds of individuals from different countries, rapidly augmenting the victim pool for the criminal duo of GhostSec and Stormous.

Furthermore, Cisco Talos has discovered new tools, likely utilized by GhostSec for compromising legitimate websites, including the “GhostSec Deep Scan” toolkit for in-depth website scanning and the “GhostPresser” tool for attacks on WordPress sites.

All these developments attest to GhostSec’s ambition to expand and evolve its arsenal for conducting more sophisticated attacks. The broader the hacker arsenal a group can offer, the more affiliates it can potentially attract and the more money it can earn.

It is worth noting that GhostSec is a part of the “Five Families” coalition, formed in August 2023. This coalition also includes the aforementioned Stormous, as well as the groups ThreatSec, SiegedSec, and Blackforums.

This coalition aims to strengthen unity and connections in the underground internet space to expand cybercriminal activities. As demonstrated by the collaborative endeavors of GhostSec and Stormous, the hackers have successfully established efficient cooperation.

The proliferation and fortification of cybercriminal syndicates like the “Five Families” once again remind private and governmental companies worldwide of the necessity to constantly refine their security measures, sparing no expense on effective solutions and competent personnel. Only through such measures can organizations protect themselves against similar cyber threats and keep their business afloat.