Keypoints
- Ghost Locker is a RaaS from GhostSec with two observed variants: Variant 1 (Python) and Variant 2 (Golang).
- Both variants establish persistence by copying the binary to the Windows Startup folder and generate a 32-byte infection ID stored in a local JSON file.
- Variant 1 contacts C2 at 41.216.183.31 and proceeds even without C2; Variant 2 relies on successful C2 contact (94.103.91.246) and enforces exfiltration prior to encryption.
- The ransomware uses Fernet-sourced secret keys and AES-256 to encrypt files in memory, writing encrypted copies with a “.ghost” extension then deleting originals.
- Privilege escalation/ownership is obtained via the Windows takeown utility; the malware also terminates actor-defined services/processes to evade detection and enable encryption.
- Variant 2 uploads targeted document files (.doc/.docx/.xls/.xlsx) to the C2 via HTTP POST before encrypting them and drops a Ransomnote.html on the desktop.
MITRE Techniques
- [T1547.001] Registry Run Keys / Startup Folder – Copies itself to the Windows Startup folder to maintain persistence (‘copies itself to that folder to establish persistence.’)
- [T1083] File and Directory Discovery – Enumerates mounted drives on the victim machine to identify targets for encryption (‘obtains the list of drives mounted in the victim’s machine to utilize during the encryption process.’)
- [T1071.001] Application Layer Protocol: Web Protocols – Communicates with C2 endpoints over HTTP to register infections and send JSON data (‘connects to the threat actor C2 Server via the URL “hxxp[://]41[.]216[.]183[.]31[/]incrementLaunch” … sends the generated JSON file to the C2 server through … “addInfection”‘).
- [T1548] Abuse Elevation Control Mechanism – Uses the Windows takeown utility to obtain administrative file ownership and access (‘it obtains them through the takeown utility for accessing file systems, such as read and delete.’)
- [T1041] Exfiltration Over C2 Channel – Uploads targeted files to the C2 server via HTTP POST before encrypting (”uploads the target files to the C2 server … using the HTTP post method”).
- [T1486] Data Encrypted for Impact – Encrypts files with AES-256 in memory and replaces originals with encrypted copies using the “.ghost” extension (‘uses an AES encryption algorithm and a key length of 256 bits … creates a copy of the encrypted file on disk with the “.ghost” extension, and then deletes the original file.’)
- [T1489] Service Stop – Terminates actor-defined services/processes on the victim host to enable encryption and evade detection (‘kills the threat actor-defined services and processes to evade detection’).
- [T1490] Inhibit System Recovery – Skips system folders and removes or avoids recovery mechanisms during encryption (skips “C:Windows” and deletes originals after encryption; inferred inhibition of recovery).
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Launches the ransom note via Windows ‘Start’ command and executes shell operations (‘drops … “Ransomnote.html” on the victim’s desktop and launches it with the Windows ‘Start’ command.’)
- [T1070.004] Indicator Removal on Host: File Deletion – Deletes original files after creating encrypted copies and uses self-deletion to remove traces after operation (”after encryption, it uses the self-deletion mechanism”).
Indicators of Compromise
- [File Hash] observed ransomware samples – C30A14B595FA334084CD32FA60B3C827, 8AD67A1B7A5F2428C93F7A13A398E39C
- [C2 / URL] command-and-control endpoints used for registration/exfiltration – hxxp[:]//94[.]103[.]91.246[/]incrementLaunch, hxxp[://]41[.]216[.]183[.]31[/]addInfection (and related endpoints)
- [File Names / Extensions] artifacts and targets – Ransomnote.html (dropped to desktop), .ghost (encrypted file extension), new-mains.exe (present in variant 1 skip list)
Ghost Locker’s runtime procedure begins by copying the executable to the Windows Startup folder and creating a 32‑byte random ID stored in a JSON structure. The sample enumerates mounted drives to build an encryption target list, generates a Fernet-based secret key which it reports to the operator via HTTP-based C2 endpoints (e.g., 41.216.183.31 and 94.103.91.246), and registers the infection by posting the JSON to the C2 panel.
Before encrypting, the malware checks for administrative access and, if necessary, invokes Windows takeown to gain file ownership. Variant 2 will also terminate attacker-specified services/processes and will exfiltrate targeted document files (.doc/.docx/.xls/.xlsx) to the C2 via HTTP POST prior to encryption. The encryption routine performs AES-256 encryption in memory, writes encrypted files with a “.ghost” extension, deletes the originals, and finally drops and launches an HTML ransom note (Ransomnote.html) on the desktop; samples include self-deletion behavior after completion.
The primary differences between the variants are language (Python-based v1 vs Golang v2), C2 addresses, execution dependency on successful C2 contact (v2 requires it), JSON username differences (e.g., “zero” vs “ghostsec”), and exfiltration behavior (v2 uploads specified document types before encrypting). Detection and mitigation should focus on C2 communications to the listed IPs, the use of takeown for ownership changes, unexpected creation of .ghost files, and the presence of Ransomnote.html on user desktops.