Cyber Security News

CISA and FBI Issue Alert as Ghost Ransomware Targets 70+ Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory warning about the increasing threat posed by Ghost ransomware.

This malicious campaign has already impacted more than 70 organizations across various sectors, exploiting vulnerabilities in widely-used software to gain access to targeted networks.

Exploitation of Vulnerabilities

The FBI has observed Ghost ransomware operators, referred to as “Ghost actors,” exploiting public-facing applications associated with several Common Vulnerabilities and Exposures (CVEs).

These include vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange servers using the ProxyShell attack chain (CVE-2021-34473CVE-2021-34523CVE-2021-31207).

By leveraging these flaws, attackers gain initial access to networks and implant malicious tools.

Tactics and Techniques

Ghost actors employ a variety of sophisticated methods to execute their attacks:

  • Execution and Persistence: Once inside a network, attackers deploy web shells to compromised servers and use tools like Windows Command Prompt or PowerShell to download Cobalt Strike Beacon malware. This commercially available tool is misused to simulate adversarial operations. Despite their efficiency, Ghost actors typically spend only a few days on victim networks, often deploying ransomware within 24 hours of initial compromise.
  • Privilege Escalation: Attackers use built-in Cobalt Strike functions or open-source tools like “SharpZeroLogon” and “BadPotato” to escalate privileges. These tools allow them to impersonate high-level users or gain administrative access.
  • Credential Access: Techniques such as password dumping via Mimikatz or Cobalt Strike’s “hashdump” function enable attackers to collect credentials for unauthorized logins.

Ghost actors disable antivirus software and Windows Defender to evade detection using specific commands.

They also leverage built-in tools for discovery, such as SharpShares for network share discovery and Ladon 911 for remote systems discovery.

For lateral movement, they rely on Windows Management Instrumentation Command-Line (WMIC) and PowerShell commands to infect additional systems.

Ghost ransomware variants—Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe—encrypt files on compromised systems while excluding critical directories to maintain device operability.

Victims are left unable to recover encrypted data without a decryption key. Ransom demands range from tens to hundreds of thousands of dollars in cryptocurrency.

CISA and the FBI urge organizations to patch known vulnerabilities promptly, implement robust security measures such as network segmentation, and monitor for indicators of compromise.

The advisory underscores the importance of proactive defense strategies against this evolving ransomware threat.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering" on…

1 hour ago

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco Talos,…

2 hours ago

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability in…

2 hours ago

Guess Which Browser Tops the List for Data Collection!

Google Chrome has emerged as the undisputed champion of data collection among 10 popular web…

2 hours ago

DOGE Big Balls Ransomware Leverages Open-Source Tools and Custom Scripts for Multi-Stage Attacks

A recent discovery by Netskope Threat Labs has brought to light a highly complex ransomware…

2 hours ago

Ransomware-as-a-Service (RaaS) Emerges as a Leading Framework for Cyberattacks

Ransomware-as-a-Service (RaaS) has solidified its position as the dominant framework driving ransomware attacks in 2024,…

2 hours ago