Hacker group GhostSec has seen a significant increase in malicious activity over the past year, according to a study conducted by Cisco Talos.
This boom includes the emergence of GhostLocker 2.0, a new ransomware variant developed by the group using the Golang programming language.
GhostSec, in collaboration with the Stormous ransomware group, has carried out double-extortion ransomware attacks across multiple countries and industries. Additionally, they launched a ransomware-as-a-service (RaaS) program called STMX_GhostLocker, offering various options to affiliates.
In an advisory published today, Talos said it also discovered two new tools in GhostSec’s arsenal: “GhostSec Deep Scan Tool” and “GhostPresser,” both likely used in attacks against websites. These tools are used to analyze legitimate websites and execute cross-site scripting (XSS) attacks, respectively.
Joint operations by GhostSec and Stormous have resulted in casualties around the world, including Cuba, Argentina, Poland, China, and Israel, among others. The groups have targeted various industries – primarily technology and education – as evidenced by revelations made on their Telegram channels.
GhostSec, which claims association with modern hacker groups like ThreatSec and Blackforums, focuses primarily on money-motivated cybercriminal activities. They carry out single and double extortion attacks, denial of service (DoS) attacks, and website takedowns, with the aim of raising funds for hacktivists and other malicious actors.
Learn more about GhostSec: Hacker Group GhostSec unveils next-generation ransomware implant
According to Cisco Talos, the introduction of GhostLocker 2.0 demonstrates the group’s evolving tactics when it comes to ransomware development. This variant encrypts files with the “.ghost” extension and offers updated ransom notes and command and control panel (C2) capabilities.
Additionally, the discovery of the GhostSec Deep Scan tool and GhostPresser highlights the group’s sophistication in compromising legitimate websites. These tools facilitate website scanning and XSS attacks, expanding the group’s capabilities beyond traditional ransomware operations.