GhostSec and Stormous Launch Joint Ransomware Attacks in Over 15 Countries

/in


The cybercrime group called GhostSec has been linked to a Golang variant of a ransomware family called GhostLocker.

“TheGhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries,” Cisco Talos researcher Chetan Raghuprasad said in a report shared with The Hacker News.

“GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates.”

Attacks mounted by the group have targeted victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia.

Some of the most impacted business verticals include technology, education, manufacturing, government, transportation, energy, medicolegal, real estate, and telecom.

GhostSec – not to be confused with Ghost Security Group (which is also called GhostSec) – is part of a coalition called The Five Families, which also includes ThreatSec, Stormous, Blackforums, and SiegedSec.

Cybersecurity

It was formed in August 2023 to “establish better unity and connections for everyone in the underground world of the internet, to expand and grow our work and operations.”

Late last year, the cybercrime group ventured into ransomware-as-a-service (RaaS) with GhostLocker, offering it to other actors for $269.99 per month. Soon after, the Stormous ransomware group announced that it will use Python-based ransomware in its attacks.

The latest findings from Talos show that the two groups have banded together to not only strike a wide range of sectors, but also unleash an updated version of GhostLocker in November 2023 as well as start a new RaaS program in 2024 called STMX_GhostLocker.

“The new program is made up of three categories of services for the affiliates: paid, free, and another for the individuals without a program who only want to sell or publish data on their blog (PYV service),” Raghuprasad explained.

STMX_GhostLocker, which comes with its own leak site on the dark web, lists no less than six victims from India, Uzbekistan, Indonesia, Poland, Thailand, and Argentina.

GhostLocker…

Source…