These two ransomware giants are joining forces to hit more victims across the world

Ransomware attack on a computer
(Image credit: Kaspersky)

Two major ransomware groups, GhostSec and Stormous, joined forces and conducted several double extortion attacks.

A report from cybersecurity researchers Cisco Talos revealed the partnership appears to have started in October 2023, when GhostSec announced a new ransomware-as-a-service (RaaS) framework on Telegram, called GhostLocker.

As by that time, the group already had successful collaborations with Stormous (namely, an attack against Cuban ministries in July 2023), the latter then announced it would adopt GhostLocker, in addition to its StormousX program.

Surge in activity

Since then, the researchers claim GhostSec and Stormous have pulled off a number of double extortion ransomware attacks, targeting victims in different industries and various countries around the world. 

GhostSec mostly targets corporate websites, including a national railway operator in Indonesia, and a major energy company in Canada. Cisco Talos observed victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia.

Israel’s Industrial systems, critical infrastructure and technology companies, as well as government organizations (Ministry of Defense), seem to be frequently targeted. 

The two also rebuilt the new official blog on the TOR network, offering affiliate programs for adjacent hacking collectives. Their blog dashboard shows the count of victims and disclosures of victims’ information with a link to their leaked data, the researchers said. Their largest ransom demand (which doesn’t necessarily have to mean it was also the largest payment received) was listed at $500,000.

Since teaming up with Stormous, GhostSec’s activities have surged, Cisco Talos concluded.

Year after year, ransomware operators are getting bigger, bolder, and more destructive. Some of the biggest cybersecurity incidents of the past decade included ransomware groups such as LockBit, BlackCat (ALPHV), and Cl0p.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.