GhostSec and Stormous Launch Joint Ransomware Attacks in 15+ Countries

GhostSec and Stormous, two notorious cybercrime groups, have teamed up to launch a series of ransomware attacks across more than 15 countries. The attacks, which involve a Golang variant of the GhostLocker ransomware family, are targeting various business sectors worldwide.

According to the report, the joint attacks by GhostSec and Stormous are part of a double extortion ransomware campaign. The groups have initiated a new ransomware-as-a-service (RaaS) program named STMX_GhostLocker, offering different options for their affiliates.

The victims of these attacks span countries such as Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia. Among the most affected industries are technology, education, manufacturing, government, transportation, energy, medicolegal, real estate, and telecom.

GhostSec, a member of The Five Families coalition along with ThreatSec, Stormous, Blackforums, and SiegedSec, was formed in August 2023 to enhance collaboration in the underground internet world. In late 2023, GhostSec ventured into the RaaS model with GhostLocker, priced at $269.99 per month, while Stormous announced its intention to use Python-based ransomware in its attacks.

The latest developments reveal that GhostSec and Stormous have collaborated to broaden their impact and enhance their ransomware capabilities. They released an updated version of GhostLocker in November 2023 and launched the STMX_GhostLocker RaaS program in 2024, offering a range of services for affiliates.

STMX_GhostLocker includes paid, free, and PYV services for individuals interested in selling or publishing data. The ransomware, written in Go, is advertised for its speed and effectiveness in encryption/decryption processes, along with a revamped ransom note urging victims to contact them within seven days to prevent data leaks.

Affiliates of the RaaS program have access to a web panel to monitor their operations, encryption status, and payments. They can also use a builder to configure the ransomware payload according to their preferences, including specifying directories to encrypt and processes/services to terminate before encryption.

Additionally, the researcher discovered two new tools used by GhostSec to compromise legitimate sites: the “GhostSec Deep Scan toolset” for scanning websites recursively, and “GhostPresser,” a hack tool for performing cross-site scripting (XSS) attacks, particularly on WordPress sites. These tools demonstrate GhostSec’s commitment to evolving its tactics and arsenal in cyberattacks.

To protect against ransomware attacks, ensure your systems are regularly updated with the latest security patches. Implement robust cybersecurity measures, including regular backups of important data stored in secure locations. Educate employees about phishing attacks and the importance of not clicking on suspicious links or downloading unknown attachments. Consider using reputable antivirus software and firewalls to enhance your network security.