The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory warning about the increasing threat posed by Ghost ransomware.
This malicious campaign has already impacted more than 70 organizations across various sectors, exploiting vulnerabilities in widely-used software to gain access to targeted networks.
The FBI has observed Ghost ransomware operators, referred to as “Ghost actors,” exploiting public-facing applications associated with several Common Vulnerabilities and Exposures (CVEs).
These include vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange servers using the ProxyShell attack chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
By leveraging these flaws, attackers gain initial access to networks and implant malicious tools.
Ghost actors employ a variety of sophisticated methods to execute their attacks:
Ghost actors disable antivirus software and Windows Defender to evade detection using specific commands.
They also leverage built-in tools for discovery, such as SharpShares for network share discovery and Ladon 911 for remote systems discovery.
For lateral movement, they rely on Windows Management Instrumentation Command-Line (WMIC) and PowerShell commands to infect additional systems.
Ghost ransomware variants—Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe—encrypt files on compromised systems while excluding critical directories to maintain device operability.
Victims are left unable to recover encrypted data without a decryption key. Ransom demands range from tens to hundreds of thousands of dollars in cryptocurrency.
CISA and the FBI urge organizations to patch known vulnerabilities promptly, implement robust security measures such as network segmentation, and monitor for indicators of compromise.
The advisory underscores the importance of proactive defense strategies against this evolving ransomware threat.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering" on…
A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco Talos,…
Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability in…
Google Chrome has emerged as the undisputed champion of data collection among 10 popular web…
A recent discovery by Netskope Threat Labs has brought to light a highly complex ransomware…
Ransomware-as-a-Service (RaaS) has solidified its position as the dominant framework driving ransomware attacks in 2024,…