GhostLocker RaaS Operations Growing as Recruiters Search for Cash Flow

Remember when hacktivism felt like a rebellious punk rock anthem raging against the affluent corporate machine? Hacktivists flitted through cyberspace as digital Robin Hoods fueled by righteous indignation or online warriors with a penchant for mischief. Those days are about as ancient as dial-up internet.

Today, the cybercrime scene is a cutthroat business. A new breed of primarily unskilled hackers has been lured in, unable to resist the temptation of easy cash. They spend their days discussing attack patterns and emerging vulnerabilities, sink hours into honing their skills and purchase expensive tools. However, when the bandwidth bill comes due, a hacktivist’s personal agenda and the thrill of a potential hack quickly lose their luster if the money isn’t rolling in. After all, individual hackers lack the financial backing of a shadowy syndicate.

This unending army of threat actors hungry for new ways to maximize their financial gain and minimize their efforts has created a breeding ground for Ransomware-as-a-Service (RaaS). No longer content with their multimillion-dollar schemes, cybergangs have created a perverse startup scene in which they package their knowledge into a fully functioning RaaS product available to anyone who can pay. These businesses are built with a chilling parallel to legitimate companies, complete with subscription models, feature updates, aggressive affiliate recruitment drives, and customer support.

GhostLocker: The Newest Ransomware-as-a-Service

The current talk of the hacker town is GhostLocker, the RaaS brainchild of GhostSec, SiegedSec, and The Five Families, which launched in early October. Beyond military-grade encryption, GhostLocker’s marketing teases innovative features.

It claims to be completely undetectable by all major antivirus (AV) solutions. It enables automatic privilege escalation, provides protection against reverse engineering, and offers delayed encryption. Its dashboard shows detailed launch statistics, build frequency and lifetime earnings. To give the RaaS a unique value proposition, users can leave the ransom negotiations in the presumably capable hands of GhostLocker experts. Further mimicking the tech startup roadmap, Ghostlocker offers a beta phase deal: the first 15 affiliates get access for the bargain price of $999, increasing to $4999 for those who join later. After paying for the subscription (monthly options are available, too!), like a typical e-commerce affiliate program, GhostLocker takes a minimal 15% commission from each secured ransom.

GhostLocker in Action

Here’s a brief look at how GhostLocker’s Python-created encryptor works:

Relying on the Fernet encryption module and its AES-powered encryption, GhostLocker creates a 32-byte URL-safe base64-encoded key using the generate_key() method.

Next, the RaaS program creates a victim ID and uses the getpass Python library to retrieve the victim’s username. It sends the key, ID, and PC name to the attacker’s panel, all unencrypted over HTTP.

Then GhostLocker begins the encryption process and sends an HTML ransom note named ‘lmao’ (Laughing My A** Off) to the victim’s Document folder. In imperfect English, the notice explains that files have been stolen and encrypted and includes a link to download the end-to-end encrypted messaging platform, Session, to communicate with the hacker.

RaaS: The SaaS Model of Cybercrime

Why join a RaaS operation and pay upfront plus a commission instead of going solo and keeping all the loot? The appeal is simple. For one, it’s like the cybercrime equivalent of a franchise opportunity, minus the greasy food. For a relatively small fee compared to the potential profits, a RaaS operation offers all the ingredients and recipes needed. Hackers get access to a suite of nasty tools, from data encryption to extortion platforms, have the support of a larger, highly experienced organization, and have access to shared resources.

RaaS essentially democratizes cybercrime, making it accessible to anyone with a basic understanding of computers and a complete lack of morals. With RaaS, the heavy lifting – developing malware, maintaining infrastructure, and negotiating payment in GhostLocker’s case – is all done for threat actors. These operations offer a low-risk, high-reward proposition, no coding skills required.

Ransomware-as-a-Service isn’t new. For years, groups like DarkSide, Ryuk, and REvil have been making headlines and racking up ill-gotten gains. However, what has changed is that ransomware attacks are becoming more frequent, more costly, and targeting more types of businesses.

Rise in Attacks: Over the last five years, attacks have risen dramatically. In 2015, 55% of organizations worldwide reported being a victim; in 2023, that number jumped to nearly 73%.

Skyrocketing Ransom Demands: In 2023, the average ransom demand was $1.54 million, nearly twice as much as in 2022 ($812,380).

Revenue Doesn’t Matter: Companies earning less than $1 million were attacked at an identical rate to those earning between $500 million and $1 billion (about 31 cases each between January 2022 and January 2023). Companies with revenues ranging from $10-25 million suffered the most, with nearly four times the attacks (133 cases).

Neither Does Company Size: Small (11-50 employees) and mid-sized businesses (51-200 employees) are prime targets, reporting 281 and 395 ransomware attacks, respectively. Companies with 1-10 and 1000-5000 employees experience similar cyberattack rates, 84 and 110, respectively.

No Industry Is Safe: By case numbers, construction (142), finance (123), and manufacturing (121) were the most targeted industries. The public sector (78), retail (77), education (67), and healthcare (65) rounded out the top 11 spots on NordLocker’s most attacked industries.

Several other emerging trends paint a concerning picture. As more organizations engage with third-party vendors, hackers increasingly see those vendors as prime targets. In 2022, ransomware was the second leading cause of third-party cyber breaches. Cybercriminals are continuing to exploit pandemic-weakened sectors like healthcare, education, and municipalities and targeting remote workers on vulnerable personal devices. Threat actors have also been actively spreading malware by exploiting mobile devices through relaxed permissions and emergency alert notifications. Finally, the decentralized nature of RaaS makes it nearly impossible for authorities to hold bad actors accountable.

Face the Enemy with Confidence

Ransomware is here to stay. As long as it remains profitable, hackers will continue to adapt and evolve their RaaS models. Businesses need a security posture as adaptable and innovative as the criminals they face.

Take proactive measures such as regularly backing up systems and data, auditing security practices of external vendors, and raising awareness with employees. However, a robust cybersecurity strategy requires a 24/7 Managed Detection and Response (MDR) solution like CYREBRO’s. By constantly monitoring your network for suspicious activity, hunting down threats before they can wreak havoc, and neutralizing them with surgical precision, an MDR ensures that even the most sophisticated RaaS-powered attacks will be met with a formidable wall of defense.

Complacency is your worst enemy; you could be the next victim tomorrow. If you don’t want the GhostLockers of the world to hold your company hostage, you must invest in proactive security and embrace the right solutions today.

Sign Up for Updates