The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory warning about the increasing threat posed by Ghost ransomware.
This malicious campaign has already impacted more than 70 organizations across various sectors, exploiting vulnerabilities in widely-used software to gain access to targeted networks.
The FBI has observed Ghost ransomware operators, referred to as “Ghost actors,” exploiting public-facing applications associated with several Common Vulnerabilities and Exposures (CVEs).
These include vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange servers using the ProxyShell attack chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
By leveraging these flaws, attackers gain initial access to networks and implant malicious tools.
Ghost actors employ a variety of sophisticated methods to execute their attacks:
Ghost actors disable antivirus software and Windows Defender to evade detection using specific commands.
They also leverage built-in tools for discovery, such as SharpShares for network share discovery and Ladon 911 for remote systems discovery.
For lateral movement, they rely on Windows Management Instrumentation Command-Line (WMIC) and PowerShell commands to infect additional systems.
Ghost ransomware variants—Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe—encrypt files on compromised systems while excluding critical directories to maintain device operability.
Victims are left unable to recover encrypted data without a decryption key. Ransom demands range from tens to hundreds of thousands of dollars in cryptocurrency.
CISA and the FBI urge organizations to patch known vulnerabilities promptly, implement robust security measures such as network segmentation, and monitor for indicators of compromise.
The advisory underscores the importance of proactive defense strategies against this evolving ransomware threat.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…