{
	"id": "54f1eb58-7ef2-4dfa-bdef-1b9b5766634c",
	"created_at": "2026-04-06T00:17:50.44176Z",
	"updated_at": "2026-04-10T03:30:57.106631Z",
	"deleted_at": null,
	"sha1_hash": "59f602c0594d6140c9689aed7c5cda03fe4aa692",
	"title": "GhostSec offers Ransomware-as-a-Service Possibly Used to Target Israel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4102408,
	"plain_text": "GhostSec offers Ransomware-as-a-Service Possibly Used to Target\r\nIsrael\r\nBy Uptycs Threat Research\r\nPublished: 2023-11-03 · Archived: 2026-04-02 10:36:35 UTC\r\nThe hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework\r\ncalled GhostLocker. They provide comprehensive assistance to customers interested in acquiring this service\r\nthrough a dedicated Telegram channel. Presently, GhostSec is focusing its attacks on Israel. This move represents a\r\nsurprising departure from their past activities and stated agenda.\r\nGhostSec (aka Ghost Security) is a hacktivist group that emerged as an offshoot of Anonymous. They primarily\r\nfocused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained\r\nprominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS.  Previously dedicated to\r\ntracking and disrupting ISIS-related online propaganda, they notably collaborate more closely with law\r\nenforcement and intelligence agencies than their predecessor, Anonymous.\r\nThe recent turn of events raises questions about the group's current motivations and objectives.\r\nGhostSec hacker group's cyber attacks on Israel: Historical overview\r\nGhostSec is one of the five hacktivist groups that make up \"The Five Families,\" alongside four other hacking\r\ncollectives as listed below.\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 1 of 19\n\nFigure 1 – Hacker group members\r\nOur threat intelligence teams have been consistently monitoring this hacker group that, over the past year, has been\r\nresponsible for cyberattacks against Israel in support of Palestine. \r\nRecent history of GhostSec activity:\r\nIn May 2022, the HRVAC website in Israel was hacked, resulting in the release of personal and credential\r\ndata\r\nIn June 2022, the hacker group targeted telecommunication and electricity industries with successful hacks\r\nIn July 2022, the focus of the attacks was on energy and sewage systems industries\r\nIn August 2022, military data and railway system API data were exposed in a data leak\r\nIn September 2022, PLC devices became the target of the attacks\r\nIn April 2023, the focus of the attacks was on the water pump Industry\r\nIn May 2023, unauthorized access to PLC devices resulted in a data leak\r\nIn October 2023, there was an attack on water pumps alongside the deployment of GhostLocker ransomware\r\nDuring November 2023, this group continuously launched cyber attacks on Israel in response to alleged war\r\ncrimes\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 2 of 19\n\nFigure 2 – Chronological sequence of GhostSec's focus on Israel as a target\r\nIn Figure 2, above, click on the image to view larger and zoom. This shows a timeline of Telegram communications\r\ncaptured from GhostSec by the Uptycs Threat Research Team. The GhostSec communications appear to lend\r\nsupport to Palestine and encourage a variety of cyberattacks on Israel, including IoT attacks on infrastructure. In\r\none Telegram post in October 2023, they show an unknown clip of what could be a news article or statement from\r\nIsrael, which they hold up as an indicator that “Israel is worried,” to demonstrate the power of their GhostLocker\r\nRaaS and rally sales. \r\nIn addition to Israel, GhostSec has targeted various other regions using different hashtags, as depicted in the\r\nfollowing two figures. \r\nIn Figure 3 see a list and map displaying the countries that have been impacted by GhostSec's infections.\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 3 of 19\n\nFigure 3 – Nations impacted by the activities of the GhostSec hacking group\r\nRussia Israel Columbia\r\nIran South Africa Nigeria\r\nPakistan Iraq United Arab Emirates\r\nLebanon France Brazil\r\nSudan Myanmar Nicaraqua\r\nPhilippines Canada Turkic\r\nAccording to our investigation of the Telegram channel, GhostSec employs specific hashtags for attacks directed at\r\nvarious countries. The snapshot below illustrates which countries have been affected and the frequency of their\r\nencounters with this threat group.\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 4 of 19\n\nFigure 4 – Country name with hashtag and attack counts\r\nThreat intelligence\r\nThe hacker group promotes their Ransomware-as-a-Service (RaaS) through a Telegram channel, offering it at an\r\ninitial price of $999. If the offer is missed, they incrementally raise the price to $4999. This Telegram channel\r\ncurrently boasts approximately 688 members.\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 5 of 19\n\nFigure 5 – Telegram channel of\r\nGhostLocker ransomware\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 6 of 19\n\nThese options are presented as follows:\r\nDirectories to encrypt - either a directory or a drive letter for encrypting files.\r\nKill processes - Terminate any processes, such as MS Office or targeted process\r\nDisable services - Deactivate or disrupt any services, including antivirus (AV) or endpoint detection and\r\nresponse (EDR).\r\nRansom amount - The ransom amount is the sum demanded by attackers for the release of encrypted data or\r\ncompromised systems. Flexible\r\nSession ID - The session ID is used to establish a connection with the victim's machine.\r\nDelay - The delay serves to postpone execution, aiding in avoiding detection by antivirus (AV) and endpoint\r\ndetection and response (EDR) systems.\r\nFigure 6 – Web panel of ransom builder\r\nThe following options are presented as checkboxes:\r\nSelf-deleted - Delete the binary from victim machine\r\nRemove background - Remove desktop background\r\nPrivilege escalation - It is the act of obtaining elevated access or permissions beyond what is typically\r\nallowed, potentially leading to unauthorized control or access.\r\nPersistence - Prevent from terminated/Idle process\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 7 of 19\n\nWatchdog process - It is responsible for automatically restarting the binary if it is unexpectedly terminated,\r\neither due to antivirus (AV) interference or an exploit.\r\nTechnical analysis\r\nStage 1 is an x64 executable binary file compiled by Python compiler Nuitka. \r\nNuitka is a tool for compiling Python code to machine code for improved performance and the creation of\r\nstandalone executables. Nuitka is not a traditional compiler in the sense of converting Python to a completely\r\ndifferent language or binary code like C or C++ compilers. Instead, it optimizes and translates Python code into C,\r\nwhich is then compiled into machine code. Unlike the commonly used Python compilers like PyInstaller and\r\nPy2exe, Nuitka, a less commonly employed compiler, excels in terms of creating smaller compiled file sizes and\r\nenhancing resistance against reverse engineering. This makes the Ghostlocker ransomware significantly more\r\npotent and capable.\r\nFigure 7 – Nuitka\r\ncompiler strings in stage 1\r\nStage 1  drops several files in a new folder in path \u003c%TEMP%/onefile_%PID%_%TIME%\u003e where \"PID\"\r\nrepresents the process ID of malware, and the folder name also includes a timestamp indicating the moment of\r\nexecution. The dropped files include dependent .pyd and dll’s  along with stage 2 executable (has same name as\r\nstage 1)\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 8 of 19\n\nFigure 8 – Dropped files in %temp% folder\r\nThe stage 1 file creates a child process of stage 2 using CreateProcess API. The stage 2 binary is also compiled\r\nusing Nuitka. We can  observe many strings such as nuitka_version etc indicating Nuitka compiler.\r\nFigure 9 – Nuitka compiler strings in stage 2\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 9 of 19\n\nThe stage 2 binary is the actual ransomware executable which on execution encrypts files and appends extension\r\n.ghost. \r\nBy extracting the python script we can look at the contents inside to know what activities it is performing. It looks\r\nlike the builder has created a python script based on the options given like( kill services, watchdog etc) and\r\ncompiled it to executable using Nuitka compiler\r\nFunctions in script\r\nMain function execution flow\r\nThe following Figure 10 illustrates the primary function of the Python script.\r\nFigure 10 – Main function of script\r\nExplanation of each function step-by-step\r\n1. Copy self to startup directory\r\nFigure 11 – startup code\r\n2. Download watchdog: Download watchdog which starts the locker if in case it exits because of AV or any other\r\nissue\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 10 of 19\n\nFigure 12 – Download watchdog\r\nWhen watchdog.exe is downloaded, it is launched and it drops wuachost.exe and creates its childprocess. The main\r\nmotive of  wuachost.exe is to launch the startup of stage 2 locker with admin rights. Both watchdog.exe and\r\nwuachost.exe are Cpython compiled binary using Nuitka.\r\nFigure 13 – Watchdog execution\r\n3. Increment launches : Posts to IP 88[.]218[.]61[.]141 that “Launches incremented successfully.”\r\nFigure 14 – Increment launches\r\n4. Secret key is generated using Fernet.generate_key() for symmetric encryption.\r\n5. encID is generated via GenerateID function: This generates a random ID.\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 11 of 19\n\nFigure 15 – Create GenerateID\r\n6. SendDB : Sends ID, Key, PCName to URL where URL is 'http://88[.]218[.]61[.]141/add'  to register victim.\r\nID: Random ID Generated in step 3 \r\nKey: Encryption key \r\nPCName: Victims PCname\r\nFigure 16 – Grabbed victim data\r\n7. Kills services if mentioned in the builder generated by hacker.\r\nFigure 17 – Kills services\r\n8. Gets the login name by python function os.getlogin() and replaces it in userconfig.directories class.\r\nFigure 18 – Get login name\r\n9. Startcrypt function to enumerate directories and encrypt each file.\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 12 of 19\n\nFigure 19 – Enumerating folder\r\nEncryptfile:  Encrypts file with the given key  and appends extension “.ghost”.\r\nFigure 20 – Encryption code\r\nEncryption:\r\nIt employs a Fernet implementation (https://cryptography.io/en/latest/fernet/) to provide 128-bit AES-CBC encryption for the entire contents of a specific file.\r\nFernet.generatekey() is used to generate a key which is sent to the hacker before encryption via\r\nsendDB().\r\nThe key is now used to encrypt the data and generate cipher text. Cipher text or encrypted data\r\ngenerated is URL-safe base64-encoded and is called or referred to as Fernet token.\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 13 of 19\n\nFigure 21 – Infected file\r\nEarlier, such similar ransomware were found named Cryptonite and Cyrat where ransomware code was written in\r\npython and fernet module was used in encryption. An open source is also available related to python based\r\nransomware using Fernet Pyransom.\r\nIt deposits a ransom note named \"Readme.html.\"\r\nFigure 22 – Ransom note code\r\n10. Remove self from startup.\r\nFigure 23 – Remove startup entry code\r\n11. vriiyayxevkrysmr(encID) : Opens readme.html in default web browser.\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 14 of 19\n\nFigure 24 – Opening readme.html\r\n12. Removes background and self delete.\r\nRansom note\r\nRansom notes are deposited in all the folders that have been targeted - file name:readme.html\r\nFigure 25 – Ransom note\r\nUptycs XDR coverage\r\nUptycs Extended Detection and Response is flagging a growing number of suspicious alerts, encompassing\r\nactivities such as system startup, potential information theft, attempts to gain high-level access, termination of\r\nrunning services, executing processes from temporary locations, and the discovery of dropped files within the\r\nAppData folder. These alerts collectively contribute to an escalating level of suspicion.\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 15 of 19\n\nFigure 26 – Uptycs alert\r\nConclusion\r\nThe cybersecurity landscape is continually  marred by a substantial and dynamic threat known as ransomware. The\r\nemergence of Ransomware-as-a Service (RaaS) models, exemplified by GhostLocker, underscores the growing\r\nsophistication of cybercriminals. These pernicious threats frequently set their sights on both individuals and\r\norganizations, inflicting severe disruptions and financial setbacks. To shield against ransomware, it is imperative to\r\nadopt a comprehensive defense strategy. This strategy should encompass resilient backup systems, effective\r\nsecurity software, user training, and a proactive incident response plan.\r\nPrecautions\r\nUtilize trustworthy antivirus and anti-malware solutions, ensuring they are regularly updated.\r\nMaintain current security patches for operating systems and software to stay protected.\r\nInform users/employees about the risks associated with clicking on unfamiliar links or downloading\r\nquestionable attachments.\r\nEnforce robust email filtering to prevent malicious attachments and links from infiltrating your system.\r\nConsistently observe network traffic for any abnormal or questionable behaviors.\r\nFrequently back up essential data and store it in an offline location to safeguard against ransomware\r\nencryption.\r\nGhostLocker panel access\r\nBy executing the specified C2 hunting query on Shodan, the Uptycs threat intelligence team uncovered additional\r\nIP addresses associated with GhostLocker's Affiliate Login panel.\r\nShodan Query: \r\nhttp.html_hash:-387969598\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 16 of 19\n\nFigure 27 – Shodan query\r\nThe images below showcase the login panel for the GhostLocker ransom builder. The hacker group utilized varying\r\nIP addresses for accessing the builder pages.\r\n1.  88[.]218[.]62[.]219\r\nFigure 28 – Log in page 1\r\n2.  195[.]2[.]79[.]117\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 17 of 19\n\nFigure 29 – Log in page 2\r\nCensys Query: services.http.response.body_hash=\"sha1:79a144bd95a43684c3c259e139200fb209ea8913\"\r\nIOC\r\nSha256\r\n0e484560a909fc06b9987db73346efa0ca6750d523f2334913c23e061695f5cc\r\n4844f44c9de364377f574e4d6a8a77dc0b4d6a67f21ccbf693ac366e52eaa8cb\r\n65d3a922754af96d8d722859ac31f3de96522d50659c67607021f2ac728f9630\r\n15d874e24caf162bc58597ac5f22716694b5d43cf433bee6a78a0314280f2c80\r\n663ac2d887df18e6da97dd358ebd2bca55404fd4a1c8c1c51215834fc6d11b33\r\na98f8468d70426ba255469a92d983d653f937d954e936e0ff5d9a0f44f1bdf70\r\nee227cd0ef308287bc536a3955fd81388a16a0228ac42140e9cf308ae6343a3f\r\n7d37eddf0b101ff2b633b2ffe33580bdb993a97fecc06874d7b5b07119b9ec99\r\n7e14d88f60fe80f8fa27076566fd77e51c7d04674973a564202b4a7cbfaf2778\r\n9b6be74c2c144f8bcb92c8350855d35c14bb7f2b727551c3dd5c8054c4136e3f\r\nabac31b5527803a89c941cf24280a9653cdee898a7a338424bd3e9b15d792972\r\n4c09a012efff318b01a72199051815c5a7b920634fb6c76082673681f54f2ec3\r\nURL\r\nhttp://88[.]218.62[.]219/download\r\nhttp://88[.]218.62[.]219/\r\nhttps://88[.]218.62[.]219/download/\r\nhttp://88[.]218.62[.]219/downloadp\r\nhttp://88[.]218.62[.]219/downloadastatus_codel\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 18 of 19\n\nhttp://88[.]218.61[.]141/addaCrypticMastera__main__a__module__auserConfiga__qualname__uchrome.exeaproces\r\nhttp://88[.]218.61[.]141/adda__main__a__module__auserConfiga__qualname__uchrome.exeaprocessesuC:/Users/%25\r\nhttp://88[.]218.61[.]141/\r\nhttp://88[.]218.61[.]141/addp\r\nhttp://88[.]218.61[.]141/incrementLaunchesT\r\nhttp://88[.]218.61[.]141/incrementLaunches\r\nhttp://88[.]218.61[.]141/add\r\nhttp://195[.]2[.]79[.]117/\r\nYou might also like\r\nHarness Cybersecurity Intelligence Power: Quarterly Threat Bulletin #9\r\nUptycs for Threat Hunting\r\nDouble Trouble: Quasar RAT's Dual DLL Sideloading in Focus\r\nUnwanted Guests: Mitigating Remote Access Trojan Infection Risk\r\nSource: https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nhttps://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec"
	],
	"report_names": [
		"ghostlocker-ransomware-ghostsec"
	],
	"threat_actors": [
		{
			"id": "93b7776d-9b37-496d-94a5-30bc36fd8800",
			"created_at": "2023-11-07T02:00:07.10019Z",
			"updated_at": "2026-04-10T02:00:03.407781Z",
			"deleted_at": null,
			"main_name": "GhostSec",
			"aliases": [
				"Ghost Security"
			],
			"source_name": "MISPGALAXY:GhostSec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434670,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59f602c0594d6140c9689aed7c5cda03fe4aa692.pdf",
		"text": "https://archive.orkl.eu/59f602c0594d6140c9689aed7c5cda03fe4aa692.txt",
		"img": "https://archive.orkl.eu/59f602c0594d6140c9689aed7c5cda03fe4aa692.jpg"
	}
}