GhostLocker 2.0 Haunts Businesses Across Middle East, Africa & Asia

Cybercriminals have developed an enhanced version of the infamous GhostLocker ransomware that they are deploying in attacks across the Middle East, Africa, and Asia.

Two ransomware groups, GhostSec and Stormous, have joined forces in the attack campaigns with double-extortion ransomware attacks using the new GhostLocker 2.0 to infect organizations in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand, as well as other locations.

Technology companies, universities, manufacturing, transportation, and government organizations are bearing the brunt of attacks, which attempt to scam victims into paying for decryption keys needed to unscramble data that was rendered inaccessible by the file-encrypting malware. The attackers also threaten to release the stolen sensitive data unless the victims pay them hush money, according to researchers at Cisco Talos, who discovered the new malware and cyberattack campaign.

RaaS Program Offers Options to Attackers

Both the GhostLocker and Stormous ransomware groups have introduced a revised ransomware-as-a-service (RaaS) program called STMX_GhostLocker, providing various options for their affiliates.

The GhostSec and Stormous groups announced their data theft in their Telegram channels and on the Stormous ransomware data-leak site.

In a technical blog post this week, Cisco Talos said GhostSec is attacking Israel's industrial systems, critical infrastructure, and technology companies. Supposed victims include the Israeli Ministry of Defense, but the motives of the group appear to be primarily profit-driven and not for kinetic sabotage purposes.

Chats in the group's Telegram channel suggest the group is motivated (at least in part) by a desire to raise funds for hacktivists and threat actors. The group's chosen moniker GhostSec resembles that of well-known hacktivist crew Ghost Security Group, an outfit known for targeting pro-Islamic State group websites and other cyberattacks, but any connection remains unconfirmed.

The Stormous gang added the GhostLocker ransomware program to its existing StormousX program following a successful joint operation against Cuban ministries last July.

Cyberattackers Focus on Corporate Websites

GhostSec appears to be conducting attacks against corporate websites, including a national railway operator in Indonesia and a Canadian energy supplier. Cisco Talos reports that the group may be using its GhostPresser tool in conjunction with cross-site scripting (XSS) attacks against vulnerable websites.

The ransomware kingpins are offering a newly developed GhostSec deep-scan tool set that would-be attackers can use to scan the websites of their potential targets.

The Python-based utility contains placeholders to perform specific functions including the potential ability to scan for specific vulnerabilities (by CVE numbers) on targeted websites. The promised functionality indicates "GhostSec's continuous evolution of tools in their arsenal," according to Cisco Talos. Security researchers report that the malware's developers are referencing "ongoing work" on "GhostLocker v3" in their chats.

GhostLocker 2.0's Message

GhostLocker 2.0 encrypts files on the victim's machine using the file extension .ghost before dropping and opening a ransom note. Prospective marks warn that stolen data will be leaked unless they contact ransomware operators before a seven-day deadline expires.

GhostLocker ransomware-as-a-service affiliates have access to a control panel that allows them to monitor the progress of their attacks, which are automatically registered on the dashboard. The GhostLocker 2.0 command-and-control server resolves with a geolocation in Moscow, a similar setup to earlier versions of the ransomware.

Paying affiliates gain access to a ransomware builder that can be configured with various options, including the target directory for encryption. Developers have configured the ransomware to exfiltrate and encrypt the files that have file extensions .doc, .docx, .xls, and .xlsx (i.e., Word-created document file and spreadsheets).

The latest version of GhostLocker was written in the GoLang programming language, unlike the previous version, which was developed using Python. The functionality remains similar, however, according to Cisco Talos. One difference in the new version: It doubles the encryption key length from 128 to 256 bits.

Cyber Protections from the Ghost

So how can you defend against this attack campaign? Cisco recommends building defense-in-depth security in order to more readily detect an attack; referring to the group's TTPs; and updating detection signatures for GhostLocker ransomware's newest version.

"GhostSec group is also known to conduct DoS and attack victim's websites, [so] organizations should ... implement layered defense with demilitarized zones [DMZs] for their Web servers to function, isolating those public-facing systems," Cisco said in a statement to Dark Reading.

Meanwhile, Cisco noted that it's unclear how successful the latest GhostLocker attacks have been.

"At this point we do not have any indication on how many potential victims are impacted. There was some data visible on the leak site, but it's difficult to say if that's a true number or how much money they paid, if any," according to the statement.