Shadow Masters: Unveiling the Secret World of Cyber Ghost Groups

As their tricks keep on enhancing, a new dimension has taken place in the form of secret or covert “ghost groups”

Ensar Seker
4 min readJan 31, 2024

These are such unseen faces who play a decent role in the world of cyber threats, and it seems that no clue exists to identify them. This blog brings to the fore the increasing visibility of sets like Zeon, Ryuk, Conti and surreptitious role-playing by many more supporting backend operations to cybercriminals. It explores opportunities for secrecy, enabling backend support for the likes of BlackCat, Akira, and LockBit 3.0. This means that their actions in making negotiation supports, their participation in the phishing campaign, and their work as initial access brokers will significantly reshape the landscape of cyber operations, simultaneously posing another set of challenges and questions for practitioners in the national and international realms.

Profile of Ghost Groups

The emergence of ghost groups signifies a new era in cyber operations. Shrouded in mystery, these groups specialize in remaining undetected while executing their operations. Their ability to maintain anonymity is not just a tactical choice; it’s a strategic one, enabling them to facilitate larger-scale attacks indirectly. These entities have mastered the art of cyber camouflage, often leaving no digital footprints, making them almost phantom-like in the cyber world.

Their multifaceted capabilities range from sophisticated phishing campaigns to the intricate art of initial access brokerage. This involves identifying and exploiting system vulnerabilities to gain unauthorized access, which they then sell to other cybercriminal groups. It’s a lucrative business in the underground cybermarket, where information and access are valuable commodities. Additionally, these ghost groups provide negotiation support in ransomware attacks, helping to broker deals between victims and attackers. This role amplifies the efficacy of ransomware groups and adds a layer of complexity to the cybercrime ecosystem.

Support to Prominent Cyber Groups

Ghost groups have established themselves as the unseen backbone for some of the most notorious cybercriminal factions, such as BlackCat, Akira, and LockBit 3.0. Their collaboration marks a significant evolution in cybercrime operations, where expertise and resources are shared in a shadowy cybercrime syndicate.

  • Negotiation Support: In the world of ransomware, negotiation is as crucial as the attack itself. Ghost groups provide expert negotiation services as intermediaries between attackers and victims. This service enhances the success rate of ransom demands and adds a professional sheen to these criminal enterprises, making them more formidable.
  • Phishing Campaigns: Phishing remains a primary vector for cyber attacks. Ghost groups are adept at crafting and deploying sophisticated phishing campaigns, which are the initial step in a multi-staged attack. By doing so, they lay the groundwork for more extensive attacks by their partners, such as data breaches and ransomware deployments.
  • Initial Access Brokerage: Perhaps their most crucial role is that of initial access brokers. These groups identify and exploit network vulnerabilities or use stolen credentials to gain access to target systems. This access is then sold to other cybercriminal groups, who use it to launch their attacks. This not only streamlines the attack process but also diversifies the threats posed by cybercriminals, making defense more challenging.

Impact on Cybersecurity

The involvement of ghost groups in cybercrime has significantly altered the cybersecurity threat landscape. With their covert operations and support for prominent cybercriminal entities, these groups have added new layers of complexity and sophistication to cyberattacks.

  • Enhanced Threat Complexity: The collaboration between ghost groups and other cybercriminal factions means that attacks are now more sophisticated and harder to trace. This complexity makes it challenging for cybersecurity professionals to defend against these threats and identify and track down the perpetrators.
  • Challenges for Cybersecurity Defenses: Traditional cybersecurity defenses are often designed to combat direct attacks. However, the indirect nature of ghost group operations, such as providing backend support and brokerage services, calls for reevaluating and enhancing current cybersecurity strategies.
  • Strategies for Detection and Mitigation: Addressing the threat that ghost groups pose requires a multifaceted approach. This includes investing in advanced threat intelligence to uncover and understand these groups' tactics, techniques, and procedures. Additionally, organizations must strengthen their internal security measures, such as regular security audits, employee training on phishing awareness, and implementing robust access controls.

The emergence of ghost groups in the cyber threat landscape marks a significant shift in cyber attacks. These groups have introduced a new level of complexity and sophistication in cybercrime by operating covertly and providing specialized services to more prominent cybercriminal factions. This trend underscores the need for continuous evolution in cybersecurity strategies, emphasizing advanced threat intelligence and robust internal security measures.

Looking ahead, we can anticipate that ghost groups will continue to evolve, adopting even more sophisticated methods to evade detection and enhance their criminal enterprises. This evolution will undoubtedly pose greater challenges for cybersecurity professionals, necessitating a proactive and dynamic approach to cyber defense. As the digital world continues to grow, staying vigilant and informed about these shadowy entities will be crucial in combating the ever-changing tide of cyber threats.