Threat Research

GhostSec offers Ransomware-as-a-Service Possibly Used to Target Israel

Securonix

GhostSec unveils GhostLocker, a Ransomware-as-a-Service framework, withsold through a dedicated Telegram channel and a current focus on Israel, signaling a shift in their activity. The report details GhostLocker’s build/operation, historical attacks against Israel and other regions, and the observed indicators and infrastructure tied to the campaign. #GhostLocker #GhostSec #RaaS #Israel #Telegram

Keypoints

  • GhostSec has launched GhostLocker, a RaaS model sold via Telegram, with pricing details noted in the Threat Intelligence section.
  • Historically, GhostSec has attacked Israel across multiple sectors (telecom, energy, water, military data, railway) and has tied campaigns to support Palestine.
  • The ransomware builder uses Nuitka to compile Python into machine code, aiming to reduce reverse engineering and increase potency.
  • Stage 1 copies itself to the startup directory; Stage 2 encrypts files with the .ghost extension and uses Fernet (AES-128) for encryption, including key handling.
  • The campaign employs persistence and defense evasion tactics (watchdog, killing processes, disabling services) and a C2 workflow over HTTP/S with registered victim data.
  • A broad set of IOCs (IPs, hashes, URLs, ransom notes like Readme.html) and a Telegram-based affiliate/availability model underscore the operation’s reach.

MITRE Techniques

  • [T1547.001] Boot or Logon Autostart Execution – Copy self to startup directory. “Copy self to startup directory”
  • [T1562.001] Impair Defenses – Disable antivirus/EDR; “Kill processes – Terminate any processes, such as MS Office or targeted process” and “Disable services – Deactivate or disrupt any services, including antivirus (AV) or endpoint detection and response (EDR).”
  • [T1027] Obfuscated/Compressed Files and Information – Nuitka compiler strings in stage 1. “Nuitka compiler strings in stage 1”
  • [T1486] Data Encrypted for Impact – Stage 2 encrypts files and appends extension “.ghost”. “The stage 2 binary is the actual ransomware executable which on execution encrypts files and appends extension .ghost.”
  • [T1041] Exfiltration Over C2 Channel – Sends ID, Key, PCName to URL to register victim. “SendDB : Sends ID, Key, PCName to URL where URL is ‘http://88[.]218[.]61[.]141/add’ to register victim.”
  • [T1071.001] Web Protocols – C2 communications via HTTP. “Posts to IP 88[.]218[.]61[.]141 that ‘Launches incremented successfully.’”
  • [T1583] Acquire Capabilities – RaaS promoted via Telegram channel. “The Telegram channel promotes their Ransomware-as-a-Service (RaaS) through a Telegram channel, offering it at an initial price of $999.”

Indicators of Compromise

  • [IP Address] context – 88.218.62.219, 88.218.61.141, and 195.2.79.117
  • [SHA256 Hash] context – 0e484560a909fc06b9987db73346efa0ca6750d523f2334913c23e061695f5cc, 4844f44c9de364377f574e4d6a8a77dc0b4d6a67f21ccbf693ac366e52eaa8cb, and 14 more hashes
  • [URL] context – http://88[.]218.62[.]219/download, http://88[.]218.61[.]141/add, https://195[.]2[.]79[.]117/
  • [File Name] context – Readme.html

Read more: https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec