Cybercriminals have launched a new wave of ransomware attacks spreading across regions in the Middle East, Africa, and Asia, wielding an advanced version of the notorious GhostLocker malware.
Two prominent ransomware groups, GhostSec and Stormous, have merged their efforts, unleashing the GhostLocker 2.0 in coordinated campaigns targeting organisations in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, Thailand, and beyond.
These attacks primarily target technology firms, educational institutions, manufacturing plants, transportation networks, and governmental bodies. Victims find themselves coerced into paying for decryption keys to regain access to their encrypted data, with the threat of sensitive information exposure looming over them, as disclosed by researchers from Cisco Talos, who uncovered this new cyber threat.
Both GhostLocker and Stormous have introduced an updated version of their ransomware-as-a-service (RaaS) program, dubbed STMX_GhostLocker, catering to various preferences of their affiliates.
Public announcements regarding data theft have been made via the Telegram channels of GhostSec and Stormous, alongside the Stormous ransomware data-leak platform.
In a recent technical analysis by Cisco Talos, GhostSec’s targets include industrial systems, critical infrastructure, and technology firms within Israel. Notably, the group’s motives appear primarily financially driven rather than aimed at kinetic sabotage, with alleged targets including the Israeli Ministry of Defense.
Conversations within GhostSec’s Telegram channel suggest a motive driven, at least partially, by fundraising for hacktivists and threat actors. The group’s name resemblance to the renowned hacktivist group Ghost Security Group, known for targeting pro-Islamic State websites, remains unconfirmed.
Stormous incorporated the GhostLocker ransomware into its existing StormousX program following a successful operation against Cuban ministries in July.
GhostSec’s recent activities include attacks on corporate websites, such as Indonesia’s national railway operator and a Canadian energy supplier. Cisco Talos indicates the possible use of GhostSec’s GhostPresser tool alongside cross-site scripting (XSS) attacks on vulnerable sites.
Ransomware operators offer a newly developed GhostSec deep-scan tool to scan potential targets’ websites, indicating the group’s ongoing evolution of attack tools.
GhostLocker 2.0 encrypts files with the “.ghost” extension, accompanied by a ransom note, threatening data exposure unless victims contact the operators within a seven-day timeframe.
Affiliates of GhostLocker ransomware-as-a-service have access to a control panel for monitoring attacks, with command-and-control servers geolocated in Moscow, resembling previous versions.
The malware targets specific file extensions, including .doc, .docx, .xls, and .xlsx, leveraging a ransomware builder allowing configuration options, with the latest version coded in GoLang, doubling encryption key length to 256 bits.
To counter these attacks, Cisco recommends implementing defense-in-depth security measures, staying informed about the groups’ tactics, techniques, and procedures (TTPs), and updating detection mechanisms for the latest GhostLocker variant.
Organisations should consider implementing layered defences, including demilitarised zones (DMZs) for web servers, to mitigate the risk of Distributed Denial of Service (DoS) attacks and protect public-facing systems.
While the extent of the latest GhostLocker attacks’ success remains uncertain, ongoing vigilance and proactive security measures are paramount in safeguarding against such threats.
Read more
Source: Dark Reading
Discover more from One Africa News Today
Subscribe to get the latest posts sent to your email.