GhostLocker 2.0 Haunts Businesses Across Middle East, Africa & Asia

Ransomware cybercrime gangs GhostSec and Stormous have teamed up in widespread double-extortion attacks.

Cybercriminals have developed an enhanced version of the infamous GhostLocker ransomware that they are deploying in attacks across the Middle East, Africa, and Asia.
Two ransomware groups, GhostSec and Stormous, have joined forces in the attack campaigns with double-extortion ransomware attacks using the new GhostLocker 2.0 to infect organizations in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand, as well as other locations.
Technology companies, universities, manufacturing, transportation, and government organizations are bearing the brunt of attacks, which attempt to scam victims into paying for decryption keys needed to unscramble data that was rendered inaccessible by the file-encrypting malware. The attackers also threaten to release the stolen sensitive data unless the victims pay them hush money, according to researchers at Cisco Talos, who discovered the new malware and cyberattack campaign.
Both the GhostLocker and Stormous ransomware groups have introduced a revised ransomware-as-a-service (RaaS) program called STMX_GhostLocker, providing various options for their affiliates.
The GhostSec and Stormous groups announced their data theft in their Telegram channels and on the Stormous ransomware data-leak site.
In a
technical blog post this week
, Cisco Talos said GhostSec is attacking Israels industrial systems, critical infrastructure, and technology companies. Supposed victims include the Israeli Ministry of Defense, but the motives of the group appear to be primarily profit-driven and not for kinetic sabotage purposes.
Chats in the groups Telegram channel suggest the group is motivated (at least in part) by a desire to raise funds for hacktivists and threat actors. The groups chosen moniker GhostSec resembles that of well-known hacktivist crew Ghost Security Group, an outfit known for targeting pro-Islamic State group websites and
other cyberattacks
, but any connection remains unconfirmed.
The Stormous gang added the GhostLocker ransomware program to its existing StormousX program following a successful joint operation against Cuban ministries last July.
GhostSec appears to be conducting attacks against corporate websites, including a national railway operator in Indonesia and a Canadian energy supplier. Cisco Talos reports that the group may be using its GhostPresser tool in conjunction with cross-site scripting (XSS) attacks against vulnerable websites.
The ransomware kingpins are offering a newly developed GhostSec deep-scan tool set that would-be attackers can use to scan the websites of their potential targets.
The Python-based utility contains placeholders to perform specific functions including the potential ability to scan for specific vulnerabilities (by CVE numbers) on targeted websites. The promised functionality indicates GhostSecs continuous evolution of tools in their arsenal, according to Cisco Talos. Security researchers report that the malwares developers are referencing ongoing work on GhostLocker v3 in their chats.
GhostLocker 2.0 encrypts files on the victims machine using the file extension
.ghost
before dropping and opening a ransom note. Prospective marks warn that stolen data will be leaked unless they contact ransomware operators before a seven-day deadline expires.
GhostLocker ransomware-as-a-service affiliates have access to a control panel that allows them to monitor the progress of their attacks, which are automatically registered on the dashboard. The GhostLocker 2.0 command-and-control server resolves with a geolocation in Moscow, a similar setup to earlier versions of the ransomware.
Paying affiliates gain access to a ransomware builder that can be configured with various options, including the target directory for encryption. Developers have configured the ransomware to exfiltrate and encrypt the files that have file extensions .doc, .docx, .xls, and .xlsx (i.e., Word-created document file and spreadsheets).
The latest version of GhostLocker was written in the GoLang programming language, unlike the previous version, which was developed using Python. The functionality remains similar, however, according to Cisco Talos. One difference in the new version: It doubles the encryption key length from 128 to 256 bits.
So how can you defend against this attack campaign? Cisco recommends building defense-in-depth security in order to more readily detect an attack; referring to the groups TTPs; and updating detection signatures for GhostLocker ransomwares newest version.
GhostSec group is also known to conduct DoS and attack victims websites, [so] organizations should ... implement layered defense with demilitarized zones [DMZs] for their Web servers to function, isolating those public-facing systems, Cisco said in a statement to Dark Reading.
Meanwhile, Cisco noted that its unclear how successful the latest GhostLocker attacks have been.
At this point we do not have any indication on how many potential victims are impacted. There was some data visible on the leak site, but its difficult to say if thats a true number or how much money they paid, if any, according to the statement.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
GhostLocker 2.0 Haunts Businesses Across Middle East, Africa & Asia