GhostSec, a cybercrime gang, has been connected to a Golang version of the GhostLocker ransomware family.

According to a report published with The Hacker News by Cisco Talos analyst Chetan Raghuprasad, “TheGhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries.”

“GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates.”

The gang has launched attacks against victims in the following countries: Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, Indonesia, China, Lebanon, Israel, Uzbekistan, India, and Cuba.

Technology, education, manufacturing, government, transportation, energy, medicolegal, real estate, and telecom are some of the business sectors that have been most affected.

GhostSec is a member of The Five Families, a group that also includes ThreatSec, Stormous, Blackforums, and SiegedSec. It should not be confused with Ghost Security Group, which goes by the name GhostSec.

It was established in August 2023 in order to “establish better unity and connections for everyone in the underground world of the internet, to expand and grow our work and operations.”

With GhostLocker, the criminal gang entered the ransomware-as-a-service (RaaS) space towards the end of last year, charging $269.99 a month to other perpetrators. Subsequently, the Stormous ransomware gang said that it will use ransomware that is based on Python for its assaults.

According to Talos’ most recent discoveries, the two gangs have united to attack a variety of sectors, release an improved version of GhostLocker in November 2023, and launch STMX_GhostLocker, a new RaaS software, in 2024.

“The new program is made up of three categories of services for the affiliates: paid, free, and another for the individuals without a program who only want to sell or publish data on their blog (PYV service),” Raghuprasad said.

With its own dark web leak site, STMX_GhostLocker reports at least six victims from Argentina, Poland, Thailand, Uzbekistan, India, and Indonesia.

Written in Go, GhostLocker 2.0 (also known as GhostLocker V2) is touted as being completely functional and providing quick encryption and decryption capabilities. Additionally, a revised ransom letter is included, urging victims to contact them within seven days to avoid having their stolen data exposed.

Through a web panel, affiliates of the RaaS system may also keep an eye on payments, encryption status, and operational details. Additionally, they get a builder that allows them to customize the locker payload to their liking, including which folders to encrypt and which services and processes to stop before the encryption starts.

After being distributed, the ransomware connects to a command-and-control (C2) panel and begins its encryption routine, but not before terminating the specified services or processes and obtaining files that include a certain list of extensions.

Talos said that it has found two new tools that GhostSec probably used to infiltrate trustworthy websites. According to Raghuprasad, “two of them are the ‘GhostSec Deep Scan toolset,’ which is used to scan legitimate websites recursively, and ‘GhostPresser,’ which is a hacking tool used to carry out cross-site scripting (XSS) attacks.”

GhostPresser’s primary purpose is to infiltrate WordPress websites. This means that threat actors may modify site configurations, add new users and plugins, and even install new themes. This shows how dedicated GhostSec is to continuously improving its toolkit.

“The gang has said that they have used it in victim assaults, but we are unable to substantiate any of those allegations. Talos informed The Hacker News that the ransomware operators would probably exploit this technology for a number of purposes.

“The deep scan tool could be leveraged to look for ways into victim networks and the GhostPresser tool, in addition to compromising victim websites, could be used to stage payloads for distribution, if they didn’t want to use actor infrastructure.”

SOURCE