The hacking group GhostSec has seen a significant increase in its malicious activities over the past year, according to research conducted by Cisco Talos.
This surge includes the emergence of GhostLocker 2.0, a new variant of ransomware developed by the group using the Golang programming language.
GhostSec, in collaboration with the Stormous ransomware group, has been conducting double extortion ransomware attacks across multiple countries and business sectors. Additionally, they have launched a ransomware-as-a-service (RaaS) program called STMX_GhostLocker, offering various options for affiliates.
In an advisory published today, Talos said it also uncovered two new tools in GhostSec’s arsenal: the “GhostSec Deep Scan tool” and “GhostPresser,” both likely utilized in attacks against websites. These tools enable the scanning of legitimate websites and the execution of cross-site scripting (XSS) attacks, respectively.
The joint operations of GhostSec and Stormous have affected victims globally, including in Cuba, Argentina, Poland, China and Israel, among others. The groups have targeted various industries – mainly technology and education – as evidenced by disclosures made in their Telegram channels.
GhostSec, which claims association with modern-day hacker groups like ThreatSec and Blackforums, primarily focuses on financially motivated cybercriminal activities. They conduct single and double extortion attacks, denial-of-service (DoS) attacks and website takedowns, aiming to raise funds for hacktivists and other threat actors.
Read more on GhostSec: Hacker Group GhostSec Unveils New Generation Ransomware Implant
According to Cisco Talos, the introduction of GhostLocker 2.0 demonstrates the group’s evolving tactics in ransomware development. This variant encrypts files with the extension “.ghost” and features updated ransom notes and command-and-control (C2) panel capabilities.
Furthermore, the discovery of the GhostSec Deep Scan tool and GhostPresser underscores the group’s sophistication in compromising legitimate websites. These tools facilitate website scanning and XSS attacks, expanding the group’s capabilities beyond traditional ransomware operations.