GhostLocker: The New Ransomware On The Block

First Published: Oct 2023

Updated: June 2025

In October, a new ransomware franchise emerged named GhostLocker. Ghost Locker was a new Ransomware-as-a-Service (Raas) established by several hacktivist groups led by GhostSec.

Recently, many hacktivist groups have tried to engage in cybercrime activities in order to sustain themselves and GhostLocker seems to be one of these cases. In fact, some ransomware groups have already migrated to using GhostLocker instead of their original products.

GhostLocker Announcement

On October 6th, several hacktivist groups, including SiegedSec, GhostSec and The Five Families
collective, announced a new Ransomware-as-a-Service named GhostLocker (Figure 2).

The GhostLocker RaaS crew claimed to support advanced new techniques and prioritizing effectiveness.
In addition, the operators behind GhostLocker claimed it was fully undetected and that they would be responsible for infrastructures and negotiations – something very common with RaaS operators.

Finally, the fee that GhostLocker takes from its affiliates was fairly low, at 15%.

GhostLocker RaaS Affiliation

When observing the threat groups advertising the GhostLocker RaaS, we can see that the groups operating it are GhostSec and SiegedSec – two hacktivist groups that emerged at the beginning of 2022.

GhostLocker Adoption

Some ransomware groups have already announced that they are going to join this RaaS, such as Stormous (Figure 4).

GhostLocker TTPs

The INCD has looked into known samplaes and suspect that the ransomware is Python-based and
compiled by Nuitka. Nuitka drops an .EXE file and multiple .PYD files in TEMP directory. This .EXE file contains the original malware’s source code in Python, encoded in base64 for obfuscation. The ransomware targets Windows machines with AES.

GhostLocker encrypts files using the Fernet library. It generates a key by calling Fernet.generate_key, which its underlying API calls to os.urandom (with 32-byte size buffer) and CryptGenRandom
encryption (Source: INCD)

The ransomware communicates with C2 servers using IPs with specific paths that indicate progress and other commands.

GhostSec Retirement

On May 15th, GhostSec retired from cyber-crime activities and returned to their primary domain, operating as hacktivists. They mentioned that they will move all management and operation of the RaaS program to Stormous.

Given that Stormous is a part of The Five Families collective, it is highly likely that they also helped in the development of GhostLocker and that some code overlaps might occur as a result between GhostLocker and StormousX.

Hacktivism Engaging With Cybercrime

When looking at the GhostLocker RaaS, many might wonder why a hacktivist group would engage in cybercrime like ransomware.

The answer is fairly simple.

While hacktivists would like to promote their agendas, infrastructures and other tools, their use can be expensive, and in order to sustain themselves, they have to engage in cybercrime.
In GhostSec‘s and SiegedSec‘s case, there is a chance that the fact that they are a part of The Five Families collective, which also includes Stormous – a cybercrime group, they have to contribute in a way that sometimes might go against their agendas.

Cyberint and the Dark Web

Cyberint excels in accessing high-tier sources that remain elusive to most companies. Our unique ability to penetrate these hidden corners enables us to collect and analyze invaluable data. We enrich our automated collection with a human approach, through research and analysis of our military-grade expert team.

Find new sources in deep and dark web marketplaces, forums, and sites, even if those sources are volatile and difficult to track. Get deep analysis and reports, that allow you to understand a specific threat actor and group profiling, including the places of operation, targeted countries or verticals, TTPs and more. Get a demo and see what assets you have exposed on the deep & dark web.