Ghost Army Ransomware

The Ghost Army Ransomware is an encryption ransomware Trojan that was first observed on January 16, 2018. The Ghost Army Ransomware is being delivered to victims through a fake copy of VPN software. Computer users have reported becoming infected with the Ghost Army Ransomware after downloading a fake copy of the 'Hide My Ass VPN,' a real VPN program that is used widely. Pirated software is a common way of delivering threats to victims, and this is a typical case of this distribution method. The attack that the Ghost Army Ransomware carries out is fairly typical of these infections: the Ghost Army Ransomware will use a strong encryption algorithm to make the victim's files inaccessible and then will demand the payment of a ransom from the victim.

Now the Cybercrooks are Using a Ghost Army to Attack Your Files

The Ghost Army Ransomware seems to belong to a family of ransomware Trojans that was already active, which includes the Aviso and the Crypt888 Ransomware, as well as several other encryption ransomware Trojans. The Ghost Army Ransomware will use an AES encryption algorithm to encrypt the victim's files and make them inaccessible with its attack. The Ghost Army Ransomware will target the user-generated files, which can include images, music, videos, texts, and numerous other document types. The file types that are typically target by encryption ransomware attacks like the Ghost Army Ransomware include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

Ransomware Trojans like the Ghost Army Ransomware will target the user-generated files while avoiding the Windows system files since they require Windows to remain functional so that the victim can receive a ransom note and make the payment online. The Ghost Army Ransomware will mark the files encrypted by the attack by adding the prefix 'Lock.' to each encrypted file. This is an anomaly to some extent since most encryption ransomware Trojans will add a string to the end of each affected file, as a new extension, rather than to the beginning of the file name, as in this case.

How the Cybercrooks may Profit from the Ghost Army Ransomware

The Ghost Army Ransomware will deliver a ransom note to the victims since their files are encrypted, and they will need to pay to get them back to normal. The Ghost Army Ransomware will change the infected computer's desktop image into the ransom note. The victim's desktop image will be replaced with an image that contains the following message:

'YOU HAVE BEEN HACKED =)
ALL YOUR FILES HAS BEEN ENCRYPTED. FOR REPAIR CONTACT US:
teamghost616@gmail.com
IF YOU ARE NOT SURE, TURN OFF THE COMPUTER
GHOST ARMY
TEAM GHOST'

It is unlikely that the Ghost Army Ransomware is being developed by an advanced group. The use of a public Gmail address, for example, is not typical of these attacks since those email addresses are disabled when they are found to be associated with hoaxes. Fortunately, PC security researchers have released a decryption software to help victims of the Ghost Army Ransomware attack recover their files. However, it is likely that new versions of the Ghost Army Ransomware will be released where the existing decryption software will no longer work, making file backups and security software more important than ever.