GhostSec
| Actor Type | Criminal Group |
|---|
GhostSec is a hacking group that claims to be part of a modern-day collective known as the Five Families. These families include other groups like ThreatSec, Stormous, Blackforums, and SiegedSec.
Their activities are financially motivated, and they conduct both single (encryption only) and double (encryption and data leaking) extortion attacks on victims across various geographies.
GhostSec has evolved over time, initially lauching 'GhostLocker' Ransomware-as-a-Service which was subsequently upgraded to GhostLocker 2.0. The group has been observed collaborating with the Stormous ransomware group to conduct joint attacks.
In addition to ransomware, the group has been observed targeting Israel's industrial control systems, critical infrastructure, and technology companies.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
GhostSec Threat Reports
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
References
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1036 | Masquerading | Defense Evasion |
| T1486 | Data Encrypted for Impact | Impact |
| T1204 | User Execution | Execution |
| T1569.002 | Service Execution | Execution |
| T1560 | Archive Collected Data | Collection |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1010 | Application Window Discovery | Discovery |
| T1071 | Application Layer Protocol | Command and Control |
| T1059 | Command and Scripting Interpreter | Execution |
| T1090.001 | Internal Proxy | Command and Control |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1003 | OS Credential Dumping | Credential Access |
| T1106 | Native API | Execution |
| T1202 | Indirect Command Execution | Defense Evasion |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1021 | Remote Services | Lateral Movement |
| T1074 | Data Staged | Collection |
| T1561 | Disk Wipe | Impact |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1129 | Shared Modules | Execution |
| T1485 | Data Destruction | Impact |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1095 | Non-Application Layer Protocol | Command and Control |