GhostSec

Actor Type	Criminal Group

GhostSec is a hacking group that claims to be part of a modern-day collective known as the Five Families. These families include other groups like ThreatSec, Stormous, Blackforums, and SiegedSec.

Their activities are financially motivated, and they conduct both single (encryption only) and double (encryption and data leaking) extortion attacks on victims across various geographies.

GhostSec has evolved over time, initially lauching 'GhostLocker' Ransomware-as-a-Service which was subsequently upgraded to GhostLocker 2.0. The group has been observed collaborating with the Stormous ransomware group to conduct joint attacks.

In addition to ransomware, the group has been observed targeting Israel's industrial control systems, critical infrastructure, and technology companies.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

GhostSec Threat Reports

Report

GhostSec’s joint ransomware operation and evolution of their arsenal

This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...

View Source

References

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

Search:

ATT&CK ID	Title	Associated Tactics
T1036	Masquerading	Defense Evasion
T1486	Data Encrypted for Impact	Impact
T1204	User Execution	Execution
T1569.002	Service Execution	Execution
T1560	Archive Collected Data	Collection
T1543	Create or Modify System Process	Persistence, Privilege Escalation
T1140	Deobfuscate/Decode Files or Information	Defense Evasion
T1010	Application Window Discovery	Discovery
T1071	Application Layer Protocol	Command and Control
T1059	Command and Scripting Interpreter	Execution
T1090.001	Internal Proxy	Command and Control
T1564.001	Hidden Files and Directories	Defense Evasion
T1027	Obfuscated Files or Information	Defense Evasion
T1003	OS Credential Dumping	Credential Access
T1106	Native API	Execution
T1202	Indirect Command Execution	Defense Evasion
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1021	Remote Services	Lateral Movement
T1074	Data Staged	Collection
T1561	Disk Wipe	Impact
T1578	Modify Cloud Compute Infrastructure	Defense Evasion
T1129	Shared Modules	Execution
T1485	Data Destruction	Impact
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation
T1095	Non-Application Layer Protocol	Command and Control

Showing 1 to 26 of 26 entries

GhostSec

Cyber Threat Graph Context

GhostSec Threat Reports

GhostSec’s joint ransomware operation and evolution of their arsenal

References

blog.talosintelligence.com

www.infosecurity-magazine.com

www.uptycs.com

MITRE ATT&CK Techniques