GhostSec, a prominent actor within The Five Families, has evolved from hacktivism toward ransomware activity, including a twin attack with Stormous. The group promotes its own tools and a GhostLocker RaaS ecosystem, with operations spanning dark-web tutorials, Telegram channels, and a TOR-hosted blog; the article questions GhostSec’s core motives and its potential transition to cybercrime. hashtags: #GhostSec #GhostLocker
Keypoints
- GhostSec emerged in 2015, allegedly from Anonymous, and focuses on countering extremism online while claiming strong ties to government agencies in its past.
- The group conducts cyber operations against extremist networks (e.g., ISIS) and advertises initial access sales on its Telegram channels.
- GhostLocker is a RaaS offering with features like “Military-Grade Encryption” and post-breach negotiation services, marketed to enterprise victims.
- GhostSec and Stormous have joined forces for double-extortion ransomware campaigns and operate a joint RaaS program called STMX_GhostLocker on the TOR network.
- New tools such as GhostSec Deep Scan and GhostPresser are reported, expanding website-focused attack capabilities.
- GhostLocker 2.0 encrypts files with a .ghost extension, uses a C2 panel for affiliates, and Haising persistence via the Startup folder; RaaS dashboards show victim counts.
- The collaboration spans multiple countries and industries, with US/European targets highlighted for Stormous and a broad victim map for GhostSec/Stormous.
MITRE Techniques
- [T1499] Endpoint Denial of Service – “launching precise cyberattacks to take them offline” including DDoS, defacement, and data breaches to disrupt extremist propaganda. “quote in English…launching precise cyberattacks to take them offline…”
- [T1486] Data Encrypted for Impact – GhostLocker encrypts files and displays a ransom note; uses “.ghost” extensions to mark encrypted data. “quote in English…encrypt data… and the ‘.ghost’ extension…”
- [T1547.001] Boot or Logon Autostart Execution – GhostLocker persisting by copying itself to the Windows Startup folder with a random filename. “quote in English…persistence by copying itself to the Windows Startup folder, generating a random filename…”
- [T1562.001] Impair Defenses – Evading detection by terminating processes, services, or scheduled tasks. “quote in English…terminating processes, services, or scheduled tasks…evade detection…”
- [T1071.001] Application Layer Protocol – C2 communications via a control panel (affiliates monitor encryption progress). “quote in English…the ransomware binaries connect to the control panel, allowing affiliates to monitor encryption progress…”
- [T1041] Exfiltration Over C2 Channel – Victim information is collected and sent as a JSON file to the control panel. “quote in English…collects victim information to create a JSON file sent to the control panel…”
Indicators of Compromise
- [File Extension] context – .ghost – used to mark encrypted data by GhostLocker 2.0 (example)
- [File Names] context – ghostlocker-ransom-note.png.webp, ghostlocker-contact-panel.png.webp – illustrative asset names tied to GhostLocker campaign imagery
- [Geolocation/Host] context – C2 server located in Moscow, Russia – location of command infrastructure
- [Platform/Channel] context – Telegram channels used for initial access sales and advertising
- [TOR/blog platform] context – RaaS blog and affiliate portal hosted on the TOR network (blog/portal context)