Two major ransomware groups, GhostSec and Stormous, joined forces and carried out several double extortion attacks.
A report from cybersecurity researchers Cisco Talos revealed that the partnership appears to have begun in October 2023, when GhostSec announced a new ransomware-as-a-service (RaaS) framework on Telegram, called GhostLocker.
As at that time the group had already had successful collaborations with Stormous (i.e. an attack against Cuban ministries in July 2023), the latter announced that it would adopt GhostLocker, in addition to its StormousX program.
Increased activity
Since then, researchers claim that GhostSec and Stormous have carried out a series of double extortion ransomware attacks, targeting victims from different industries and countries around the world.
GhostSec primarily targets corporate websites, including a national railway operator in Indonesia and a major energy company in Canada. Cisco Talos observed victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia.
Israel's industrial systems, critical infrastructure and technology companies, as well as government organizations (Ministry of Defense), appear to be frequent targets.
The two also rebuilt the new official blog on the TOR network, offering affiliate programs for adjacent hacker collectives. His blog's dashboard displays victim counts and victim information disclosures with a link to their leaked data, investigators said. Their largest ransom demand (which does not necessarily mean it was also the largest payment received) was $500,000.
Since partnering with Stormous, GhostSec's activities have increased, Cisco Talos concluded.
Year after year, ransomware operators are getting bigger, bolder, and more destructive. Some of the biggest cybersecurity incidents of the last decade included ransomware groups like LockBit, BlackCat (ALPHV), and Cl0p.