Insights, news, education and announcements from PolySwarm

GhostLocker Ransomware

Written by The Hivemind | Jul 5, 2024 6:05:23 PM

Verticals Targeted: Technology, Education, Manufacturing, Transportation, Government

Executive Summary

GhostLocker, a ransomware family that has been in the wild since late 2023, is now under new management. Stormous, the new GhostLocker operators, have stated they are updating the program and will offer some ransomware services for free.

Key Takeaways

  • GhostLocker is a ransomware family that has been in the wild since October 2023. 
  • It is a ransomware as a service (RaaS) created by hacktivists, including SiegedSec, GhostSec, and other members of The Five Families collective. 
  • GhostLocker version 2.0 was observed targeting entities in the Middle East, Africa, and Asia earlier this year. 
  • Stormous, the new GhostLocker operators, have stated they are updating the program and will offer some ransomware services for free. 

What is GhostLocker?

GhostLocker is a ransomware family that has been in the wild since October 2023. It is a ransomware as a service (RaaS) created by hacktivists, including SiegedSec, GhostSec, and other members of The Five Families collective. Cyberint first reported on GhostLocker in late 2023 and recently updated the report due to new GhostLocker activity. 

In recent years, some hacktivist groups were observed engaging in financially motivated cybercrime activities to support their efforts, and Cyberint assessed GhostLocker is likely used for that purpose. Additionally, some ransomware groups have leveraged GhostLocker in their criminal activity. GhostLocker version 2.0 was observed targeting entities in the Middle East, Africa, and Asia earlier this year. Targeted verticals include technology, education, manufacturing, transportation, and government.

GhostLocker’s operators claim to support advanced techniques and prioritize effectiveness. The ransomware is also purported to be undetectable. Operating as RaaS, GhostLocker’s operators support the ransomware infrastructure and negotiations while only taking a 15% fee from affiliates.

GhostLocker is Python-based and appears to be compiled by Nuitka. Nuitka drops both an .EXE file and multiple .PYD files in the TEMP directory on a victim machine. The .EXE contains the ransomware’s source code in Python, encoded in base64. GhostLocker targets Windows Machines with AES and uses the Fernet library for encryption.

Earlier this year, GhostSec claimed it was retiring from cybercrime involvement and passed GhostLocker operations to Stormous, who is part of The Five Families collective. According to a recent post on X, Stormous is reportedly updating the ransomware program and plans to offer the services for free, under certain conditions. 

IOCs

PolySwarm has multiple samples of GhostLocker.

 

37214b37345bfbeeacf7b83ecb4e1ce0044acc2066d14e7ef9a87fd56a3b5975

C9f71fc4f385a4469438ef053e208065431b123e676c17b65d84b6c69ef6748a

0e484560a909fc06b9987db73346efa0ca6750d523f2334913c23e061695f5cc

15d874e24caf162bc58597ac5f22716694b5d43cf433bee6a78a0314280f2c80

663ac2d887df18e6da97dd358ebd2bca55404fd4a1c8c1c51215834fc6d11b33

7e14d88f60fe80f8fa27076566fd77e51c7d04674973a564202b4a7cbfaf2778

9b6be74c2c144f8bcb92c8350855d35c14bb7f2b727551c3dd5c8054c4136e3f

Abac31b5527803a89c941cf24280a9653cdee898a7a338424bd3e9b15d792972

Ee227cd0ef308287bc536a3955fd81388a16a0228ac42140e9cf308ae6343a3f

 

You can use the following CLI command to search for all GhostLocker samples in our portal:

$ polyswarm link list -f GhostLocker

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.