A new version of the infamous GhostLocker ransomware has been developed by cyber criminals, and they are now targeting users across the Middle East, Africa, and Asia with this ransomware. With the help of the new GhostLocker 2.0 ransomware, two ransomware groups have joined forces in attacking organizations in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand in double-extortion ransomware attacks, which have been conducted by two groups of ransomware groups, GhostSec and Stormous. 

The attack targets technology companies, universities, companies that manufacture, transport, and government organizations that have been rendered inaccessible by the file-encrypting malware. These are the main targets of these attacks, which attempt to scam victims into paying for decryption keys that would allow them to retrieve the data that was encrypted and render it inaccessible. 

According to researchers at Cisco Talos, who discovered the new malware campaign and cyberattack campaign being run by the criminals, the attackers had also threatened to release exposed victims' sensitive data unless they paid hush money to keep the information hidden. As a result of both GhostLocker and Stormous ransomware groups revamping their RaaS programs, they have introduced a new one called STMX_GhostLocker, which offers their affiliates several options for the distribution of ransomware. 

As well as on the Stormous ransomware data-leak site, the GhostSec and Stormous groups also announced they had been tampering with data on their Telegram channels. A Cisco Talos blog post released this week suggested that GhostSec was targeting Israel's industrial systems, critical infrastructure, and technology companies, according to the blog post. It is believed that there are victims, including the Israeli Ministry of Defense, but the motive of the group does not seem to be one of kinetic sabotage so much as it is one of profit-driven objectives. 

Telegram chats suggest that at least part of the motivation of the group (at least initially) is to raise funds for hacktivists and threat actors, as indicated by conversations in the group's Telegram channel. As a curious note, GhostSec has adopted the same name as Ghost Security Group, well-known as a hacktivist organization known for targeting ‘pro-Islamic State group’ websites and making other cyberattacks, though there remains no confirmation that the two organizations are linked. 

As a result of successful joint operations between the Stormous gang and Cuban ministries last July, the Stormous gang added the GhostLocker ransomware program to its existing StormousX program. A group of hackers calling themselves GhostSec has been carrying out attacks on corporate websites, including a national railway company in Indonesia as well as a corporate energy supplier in Canada. 

Cisco Talos has reported that the group could be using the GhostPresser tool as a means to conduct cross-site scripting (XSS) attacks against vulnerable websites when it launches attacks against them. This week, the kingpins of ransomware are also offering the GhostSec deep-scan tool suite that was created by them, which would allow potential attackers to sweep websites of potential targets to find ransomware implants. 

With the Python-based utility, users will be able to perform specific functions, such as scanning for specific vulnerabilities on targeted websites (by referring to specific CVE numbers) using placeholders. In Cisco Talos' opinion, "the promise of functionality demonstrates a continuous evolution, which goes hand in hand with GhostSec's continuous development of tools for their arsenal." In the chats that the malware's developers are having in their chats, they seem to refer to "ongoing work" on "GhostLocker v3", according to security researchers. 

In addition to encrypting files on the victim's computer with the extension .ghost, GhostLocker 2.0 drops a ransom note on the victim's machine and asks for a ransom to unlock it. Potential targets are being issued warnings that their compromised data will be publicly disclosed unless they reach out to ransomware operators within a strict seven-day timeframe. Affiliates of the GhostLocker ransomware-as-a-service are equipped with a sophisticated control panel enabling real-time monitoring of their attacks, all seamlessly registered on the dashboard. 

The command-and-control server for GhostLocker 2.0 is geolocated in Moscow, resembling the setup of earlier ransomware versions. Affiliates who opt to pay gain entry to a customizable ransomware builder, allowing the configuration of various options, including the target directory for encryption. The ransomware, designed by developers, is adept at exfiltrating and encrypting files with extensions such as .doc, .docx, .xls, and .xlsx, encompassing Word-created documents and spreadsheets. 

Unlike its predecessor developed in Python, the latest iteration of GhostLocker is coded in the GoLang programming language. Despite this shift, the functionality remains akin to the previous version, with a notable enhancement: the encryption key length has been doubled from 128 to 256 bits. In response to this menacing campaign, organizations are advised by Cisco Talos to fortify their defences through a comprehensive security approach, facilitating prompt attack detection. 

This involves studying the tactics, techniques, and procedures (TTPs) employed by the GhostLocker group, as well as ensuring up-to-date detection signatures for the newest GhostLocker ransomware version. Cisco further recommends that organizations fortify their web servers with layered defence mechanisms, incorporating demilitarized zones (DMZs) to isolate public-facing systems. This is particularly pertinent given the GhostSec group's track record of conducting denial-of-service (DoS) attacks on victim websites. 

Despite these precautionary measures, the true impact of the recent GhostLocker attacks remains elusive. Cisco has underscored the uncertainty surrounding the number of potential victims affected. While some data has surfaced on the leak site, it remains challenging to ascertain its accuracy, including the extent of financial transactions, if any. As the cybersecurity landscape evolves, GhostLocker ransomware emerges as a persistent threat, underscoring the critical need for organizations to continuously enhance their security measures. 

The adoption of a defence-in-depth strategy, meticulous analysis of threat actors' TTPs, and regular updates to detection mechanisms are imperative in safeguarding against the ever-evolving tactics of malicious entities. The call for layered defence, including the implementation of DMZs for web servers, reinforces the proactive approach required to mitigate the risks associated with this sophisticated ransomware campaign.