Global Surge in Cyber Attacks: GhostSec and Stormous Unleash GhostLocker Ransomware in Over 15 Nations

GhostSec and Stormous are now launching combined ransomware attacks across more than 15 countries, employing a novel Golang variant of ransomware named GhostLocker. This development was highlighted in a report by Chetan Raghuprasad of Cisco Talos. The attacks have a broad reach, impacting multiple sectors in various countries, including but not limited to Cuba, China, and India, with technology and education being among the most significantly affected areas.

The upgraded version, GhostLocker 2.0, brings enhanced efficiency and quicker encryption capabilities to the table. It also introduces a new tactic: threatening to release stolen data unless contact is made within a week. Additionally, this ransomware is designed to halt certain processes before initiating the file encryption, streamlining its attack process and making it harder for victims to intervene.


  • Identity and Background: GhostSec, or Ghost Security, is a cybercrime group that gained attention for its ransomware attacks. Not to be confused with a similarly named group, Ghost Security Group, which is a different entity. GhostSec is known for its sophisticated cyber attacks and has been linked to various ransomware campaigns.
  • Activities and Tactics: This group specializes in developing and deploying ransomware, a malicious software designed to block access to a computer system until a sum of money is paid. They have been involved in numerous cyber attacks across the globe, targeting businesses in various sectors.
  • Ransomware Development: GhostSec is responsible for creating GhostLocker, a ransomware variant that they offer as a ransomware-as-a-service (RaaS) to other cybercriminals. This model allows them to distribute their ransomware more widely and benefit from the attacks conducted by their affiliates.
  • Collaborations: The group is part of a larger coalition called The Five Families, which includes other cybercrime groups. This coalition aims to unify and strengthen their operations in the cyber underground.


  • Identity and Background: Stormous is another prominent cybercrime group that collaborates with GhostSec in launching ransomware attacks. They are known for their aggressive tactics and have been involved in numerous high-profile cyber incidents.
  • Ransomware and Tactics: Similar to GhostSec, Stormous engages in ransomware attacks but has also been noted for using Python-based ransomware. Their approach often involves double extortion, where they not only encrypt the victim’s files but also threaten to release stolen data unless an additional ransom is paid.
  • Ransomware-as-a-Service (RaaS): Stormous has embraced the RaaS model, collaborating with GhostSec to enhance their ransomware capabilities and reach. This partnership allows them to leverage each other’s strengths and resources in conducting more sophisticated and widespread attacks.

Joint Operations

GhostSec and Stormous have combined their efforts to launch joint ransomware attacks, significantly impacting over 15 countries across various business sectors. Their collaboration signifies a worrying trend in the cybercrime world, where groups unite their expertise and resources to launch more effective and damaging cyber attacks. This partnership has led to the development of new ransomware variants and the expansion of their RaaS program, posing a greater threat to global cyber security.

Technical Innovations and Tactics

They have demonstrated a keen ability to innovate within the realm of cyber threats. Their use of a Golang variant for the GhostLocker ransomware signifies a shift towards more sophisticated, cross-platform malware development. Golang, being a statically typed, compiled programming language designed at Google, allows for efficient execution and difficult detection by traditional antivirus software, thereby enhancing the malware’s persistence.

Double Extortion Technique

The technique of double extortion, where attackers not only encrypt the victim’s files but also exfiltrate data and threaten its release, adds a layer of complexity to the attacks. This method pressures victims to pay the ransom not just to regain access to their encrypted files but also to prevent potentially damaging data from being made public. This tactic has been increasingly adopted by various ransomware groups, indicating a trend towards more aggressive and financially damaging cyber extortion practices.

Ransomware-as-a-Service (RaaS) Expansion

The STMX_GhostLocker program represents a significant evolution in the RaaS landscape. By offering a tiered service model, including paid, free, and data publication options, GhostSec and Stormous are broadening the accessibility of ransomware to would-be attackers with varying levels of expertise and resources. This democratization of cybercrime tools could lead to an increase in ransomware attacks globally, as barriers to entry continue to lower.

Global Impact and Targeted Sectors

The wide geographical spread of the victims, from Asia to Africa and South America, underscores the global threat posed by ransomware. By targeting a diverse array of sectors, including technology, government, and healthcare, the attackers demonstrate a strategic approach designed to maximize financial gain and societal impact. The choice of sectors suggests a deep understanding of where vulnerabilities might lie and which types of data are most valuable or sensitive.

Cybersecurity Response and Challenges

The cybersecurity community faces significant challenges in responding to these evolving threats. The use of new programming languages for malware development, combined with the RaaS model’s growth, requires continuous adaptation in defense strategies. Developing robust detection mechanisms, enhancing threat intelligence sharing, and fostering international cooperation are pivotal in combating such threats. Moreover, organizations must prioritize cybersecurity hygiene, including regular backups, employee training, and the implementation of multi-factor authentication (MFA) to mitigate the risk of successful ransomware attacks.

Legal and Ethical Implications

The collaboration between GhostSec and Stormous, and the formation of coalitions like The Five Families, also raises important legal and ethical questions. The international nature of cybercrime complicates jurisdictional and legal frameworks for prosecution. Moreover, the ethical dilemma of paying ransoms to recover stolen data puts victims in a challenging position, potentially funding further criminal activities.


The joint operations of GhostSec and Stormous, marked by the development and deployment of GhostLocker ransomware, highlight a concerning trend in global cybercrime. The evolution of ransomware tactics, combined with the expansion of RaaS models, presents significant challenges for cybersecurity professionals and organizations worldwide. Addressing this threat requires a multi-faceted approach, including technological innovation, legal action, and international collaboration, to protect against these increasingly sophisticated and damaging cyber attacks.

About Purple Shield Security

Purple Shield Security isn’t just another cyber security firm. Think of us as your digital world’s protectors, always ready to keep your business safe from the latest cyber threats. Our team is full of passionate experts who do more than just look after your data and systems; we give you peace of mind. We offer a wide range of services like Managed Cyber Security, Cyber Security Consulting, Cyber Security Risk Analysis, Cyber Defense Services, Cyber Security Incident Response, and vCISO.

Don’t put off making your business safer. Contact us now to see how Purple Shield Security can upgrade your cyber defenses.