Ghost Ransomware Targets Organizations Across 70+ Countries

A new ransomware variant known as “Ghost” (also referred to as Cring) has emerged as a significant danger.

Since its first appearance in 2021, the FBI and CISA have issued a joint advisory on February 2025, highlighting its growing menace, particularly after a sharp increase in attacks on critical infrastructure, healthcarbe facilities, and financial institutions across over 70 countries.

The Ghost ransomware campaign has intensified its attacks, exploiting common vulnerabilities in public-facing systems to infiltrate organizations.

Ghost ransomware operators are believed to be a financially motivated cybercriminal group based in China, distancing themselves from state-sponsored espionage activities.

Their modus operandi involves rapid deployment of encryption attacks, often achieving full system compromise in under 24 hours.

This quick strike approach marks a departure from previous ransomware groups like Conti or LockBit, which often lingered on networks for weeks.

Method of Operation

Ghost employs sophisticated methods to bypass traditional security measures.

It starts by targeting unpatched systems, scanning for vulnerabilities in VPN appliances, web servers, or email servers.

Once inside, the attackers establish persistent access by planting web shells, deploying tools like Cobalt Strike, and escalating privileges to administrative levels.

According to the Report, this foothold allows them to exfiltrate sensitive data, providing additional leverage for their double-extortion tactic encrypting data and threatening to leak or sell it if ransom demands are not met.

Global Impact and Targets

The widespread nature of Ghost’s attacks is unprecedented, affecting not only the US, Canada, and UK but also reaching into Europe, Asia, and Australia.

The choice of targets spans multiple sectors, focusing on hospitals, energy providers, financial services, government agencies, and manufacturing units.

For organizations, defense against this pervasive threat involves several key strategies:

• Frequent Updates and Patching: Ghost thrives on unpatched vulnerabilities. Regular updates and patching of systems, particularly those facing the internet or handling external connections, are critical.
• Implement Multi-Factor Authentication (MFA): For all privileged accounts, MFA is essential to prevent unauthorized access even when credentials are compromised.
• Network Segmentation and Access Control: Limiting network access and breaking it into isolated zones can contain an infection, preventing attackers from moving laterally through the network.
• Monitoring and Incident Response: Employing Endpoint Detection and Response (EDR) systems can detect unusual activities like mass encryption attempts. Additionally, having a robust incident response plan ensures quick isolation of affected systems and secure recovery from backups.

Efforts by law enforcement, including international collaborations like the U.S., U.K., and Australian sanctions against facilitators of ransomware, underscore the global response to tackle this menace.

However, the challenge in prosecuting Ghost operators remains due to their geographic shelter in China, where extradition is not straightforward.

The global community continues to urge organizations to prioritize cybersecurity, with an emphasis on preventative measures and incident response readiness to combat this new ransomware threat that has no bounds, affecting industries across the globe.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!