CISA & FBI Warns that Ghost Ransomware Hits Over 70 Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory warning about the widespread impact of the Ghost ransomware, also known as Cring.

Since its emergence in early 2021, this ransomware has compromised over 70 organizations globally, spanning critical infrastructure, healthcare, education, government networks, and private enterprises.

The advisory highlights the sophisticated tactics used by Ghost actors, who are believed to be operating from China.

Exploiting Vulnerabilities for Financial Gain

Ghost ransomware operators exploit publicly known vulnerabilities in outdated software and firmware to gain unauthorized access to networks.

Among the exploited vulnerabilities are CVE-2018-13379 (Fortinet FortiOS), CVE-2010-2861 (Adobe ColdFusion), and several Microsoft Exchange flaws collectively known as ProxyShell.

These attacks are indiscriminate, targeting organizations that fail to apply timely security patches.

Once inside a network, Ghost actors deploy ransomware payloads such as Cring.exe, Ghost.exe, and Locker.exe to encrypt critical data.

The attackers demand ransom payments in cryptocurrency, typically ranging from tens to hundreds of thousands of dollars.

Despite claims of exfiltrating sensitive data for potential sale, investigators have observed limited data theft in most cases.

Advanced Techniques

Ghost actors utilize advanced tools like Cobalt Strike Beacon malware for command-and-control operations.

They also employ privilege escalation techniques using tools such as SharpZeroLogon and BadPotato to gain elevated access.

To evade detection, they disable antivirus software and use PowerShell commands to conceal malicious activities.

The ransomware group frequently rotates file extensions for encrypted files and modifies ransom notes to complicate attribution efforts.

They communicate with victims through encrypted email services like ProtonMail and Tutanota or via TOX IDs embedded in ransom notes.

To counter the threat posed by Ghost ransomware, CISA and the FBI recommend organizations adopt robust cybersecurity measures, including:

• Regularly updating software and firmware to patch known vulnerabilities.
• Implementing network segmentation to limit lateral movement.
• Enforcing phishing-resistant multi-factor authentication (MFA) for privileged accounts.
• Maintaining offline backups of critical data.
• Monitoring for unauthorized use of administrative tools like PowerShell.

Organizations are also encouraged to validate their security controls using the MITRE ATT&CK framework and report any ransomware incidents to federal authorities.

The advisory underscores the growing threat posed by ransomware actors targeting vulnerable systems across various sectors.

While Ghost ransomware has primarily focused on financial extortion, its ability to disrupt critical infrastructure highlights the urgent need for enhanced cybersecurity resilience.

Both CISA and the FBI emphasize that paying ransoms does not guarantee data recovery and may incentivize further criminal activity.

As ransomware threats continue to evolve, federal agencies urge organizations to remain vigilant and proactive in defending against these attacks.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here