Rewterz Threat Alert – Joint Ransomware Operation Launched by GhostSec and Stormous in Over 15 Countries – Active IOCs

Severity

High

Analysis Summary

A cybercrime consortium, known as The Five Families which includes infamous groups like GhostSec and Stormous, has been conducting sophisticated ransomware attacks across multiple countries and business sectors.

GhostSec has developed a Golang variant of the GhostLocker ransomware and is collaborating with Stormous to create the STMX_GhostLocker ransomware-as-a-service (RaaS) program. This RaaS initiative, priced at $269.99 per month, offers a range of services to affiliates including paid options, free services, and a program for individuals who are seeking to sell or publish stolen data.

These groups have targeted various industries such as technology, education, government, and telecom in multiple countries like Indonesia, Thailand, Vietnam, Egypt, Turkiye, Qatar, Morocco, Brazil, South Africa, India, Uzbekistan, Lebanon, China, Poland, Argentina, and Cuba. The GhostLocker 2.0 ransomware boasts efficient encryption and decryption capabilities accompanied by an updated ransom note threatening data leakage if victims fail to comply within seven days.

Affiliates are provided with a user-friendly web panel to monitor their operations, track encryption status, and manage payments. Additionally, a custom builder tool enables configuration of the ransomware payload allowing affiliates to specify directories for encryption and processes to terminate before initiating encryption.

Security researchers have identified new tools that are utilized by GhostSec to compromise legitimate websites, including the GhostSec Deep Scan toolset for recursive website scanning and GhostPresser for conducting cross-site scripting attacks particularly targeting WordPress sites. These tools underscore GhostSec’s commitment to evolving its arsenal and expanding its capabilities.

Although the group claims to have used these tools in attacks, verification of such claims remains challenging. Nonetheless, these tools likely serve various purposes for the ransomware operators from identifying network vulnerabilities to staging ransomware payloads for distribution without direct attribution to the actors.

Impact

• Sensitive Data Theft
• File Encryption

Indicators of Compromise

MD5

• f001329114937fbc439f251c803ba825
• 8ad67a1b7a5f2428c93f7a13a398e39c

SHA-256

• a1b468e9550f9960c5e60f7c52ca3c058de19d42eafa760b9d5282eb24b7c55f
• 8b758ccdfbfa5ff3a0b67b2063c2397531cf0f7b3d278298da76528f443779e9

SHA-1

• 95ae81de52655fac3f1b226f1896690566090640
• d4f71fc5479a02c8ff57c90fc67b948adb5604e0

URL

• http://94.103.91.246/incrementLaunch
• http://94.103.91.246/addInfection
• http://94.103.91.246/login?next=
• http://94.103.91.246/upload

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.