Cyber Security News

CISA and FBI Issue Alert as Ghost Ransomware Targets 70+ Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory warning about the increasing threat posed by Ghost ransomware.

This malicious campaign has already impacted more than 70 organizations across various sectors, exploiting vulnerabilities in widely-used software to gain access to targeted networks.

Exploitation of Vulnerabilities

The FBI has observed Ghost ransomware operators, referred to as “Ghost actors,” exploiting public-facing applications associated with several Common Vulnerabilities and Exposures (CVEs).

These include vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange servers using the ProxyShell attack chain (CVE-2021-34473CVE-2021-34523CVE-2021-31207).

By leveraging these flaws, attackers gain initial access to networks and implant malicious tools.

Tactics and Techniques

Ghost actors employ a variety of sophisticated methods to execute their attacks:

  • Execution and Persistence: Once inside a network, attackers deploy web shells to compromised servers and use tools like Windows Command Prompt or PowerShell to download Cobalt Strike Beacon malware. This commercially available tool is misused to simulate adversarial operations. Despite their efficiency, Ghost actors typically spend only a few days on victim networks, often deploying ransomware within 24 hours of initial compromise.
  • Privilege Escalation: Attackers use built-in Cobalt Strike functions or open-source tools like “SharpZeroLogon” and “BadPotato” to escalate privileges. These tools allow them to impersonate high-level users or gain administrative access.
  • Credential Access: Techniques such as password dumping via Mimikatz or Cobalt Strike’s “hashdump” function enable attackers to collect credentials for unauthorized logins.

Ghost actors disable antivirus software and Windows Defender to evade detection using specific commands.

They also leverage built-in tools for discovery, such as SharpShares for network share discovery and Ladon 911 for remote systems discovery.

For lateral movement, they rely on Windows Management Instrumentation Command-Line (WMIC) and PowerShell commands to infect additional systems.

Ghost ransomware variants—Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe—encrypt files on compromised systems while excluding critical directories to maintain device operability.

Victims are left unable to recover encrypted data without a decryption key. Ransom demands range from tens to hundreds of thousands of dollars in cryptocurrency.

CISA and the FBI urge organizations to patch known vulnerabilities promptly, implement robust security measures such as network segmentation, and monitor for indicators of compromise.

The advisory underscores the importance of proactive defense strategies against this evolving ransomware threat.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

3 days ago