GhostLocker - A “Work In Progress” RaaS

Nov 8, 2023 08:00 pm Cyber Security 93
GhostLocker - A “Work In Progress” RaaS

Executive Summary

In recent years, there has been a noticeable uptick in threat actors venturing into the realm of Ransom-as-a-Service (RaaS). Some have emerged as significant threats, while others have faded into obscurity. What makes the current landscape unusual is the entry of hacktivist groups into this domain. One such group, GhostSec, has introduced a novel Ransom-as-a-Service encryptor known as GhostLocker. GhostSec's focus has predominantly been on well-established telecommunications companies, surveillance systems, and Internet of Things (IoT) devices.

GhostLocker is being marketed as a groundbreaking, enterprise-grade locking software that prioritizes safety and effectiveness above all else. Initially priced at $999 for the first 15 affiliates, GhostSec anticipates raising this fee to $4,999 in the future. This executive summary provides a snapshot of our investigation and key findings pertaining to this emerging ransomware variant.

Figure 1 - GhostLocker announcement

GhostLocker RaaS was announced on October 8th, 2023 and since then several updates were made to the encryptor. Rapid7 researchers obtained several new GhostLocker samples and took a quick look at them. This blog — based on one of the first publicly available samples — and the analysis led us to the conclusion that the encryptor is still under development and lacks the basic capability to encrypt files.

Figure 2 - GhostLocker update timeline

Technical Analysis

Announced by GhostSec, the new GhostLocker encryptor’s major features include:

Military-grade encryption on runtimeUndetectability by using a polymorphic stub, and guaranteeing zero detections out of all major antivirus (AV) solutionsProtection against reverse engineeringSelf-deleteKilling servicesAutomatic privilege escalationPersistence mechanismWatchdog processDelayed encryption

GhostSec is also offering their affiliates a fully functional statistics and negotiation platform.

GhostSec used Python to create their encryptor. The first sample spotted by Rapid7 was a PyInstaller executable. PyInstaller is used to package Python ..

Support the originator by clicking the read the rest link below.

ghostlocker progress
Read The Rest from the original source
blog.rapid7.com

Related News

Be in Touch

All Rights Reserved #1 Source for Cyber Security News, Reports and Threat Intelligence
Powered By The Internet!!!!