A recent joint advisory issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has brought attention to the persistent threat posed by Ghost ransomware, also known as Cring. This malicious group, believed to be based in China, has been active since early 2021 and has targeted organizations in more than 70 countries, affecting critical infrastructure, schools, healthcare facilities, government networks, and businesses across various scales. Their primary objective is to generate financial profit through ransom demands.
The Ghost operators employ a strategy that involves exploiting known vulnerabilities in internet-facing services that are running outdated software and firmware. By utilizing publicly available code, they target weaknesses in popular platforms such as Fortinet FortiOS appliances, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange. Once they gain entry, they deploy ransomware payloads like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe to encrypt files and demand significant ransom payments in cryptocurrency. Although Ghost’s ransom notes often include threats to sell stolen data, their primary focus remains on encrypting systems to extort money.
In order to identify Ghost activity, the advisory outlined several indicators of compromise (IOCs) that organizations should be vigilant about. These include file hashes, ransom email addresses, and the tools commonly utilized by Ghost actors. Any presence of these IOCs within a network should prompt immediate investigation. Furthermore, organizations should be on the lookout for unusual network behaviors such as scans for vulnerable devices, unauthorized manipulation of administrator accounts, and the execution of unfamiliar PowerShell scripts, all of which could signal potential Ghost activity.
To protect against Ghost ransomware attacks, organizations are advised to implement basic security measures. This includes maintaining regular backups, preferably in offline or segmented storage, to facilitate system restoration in the event of a ransomware incident. Prompt software and firmware patching is also crucial for addressing known vulnerabilities before they can be exploited. Network segmentation to isolate compromised systems, strengthening authentication procedures with multi-factor authentication (MFA), and conducting cybersecurity training for employees to mitigate phishing risks are recommended strategies as well.
Moreover, organizations are encouraged to enforce allowlisting to prevent unauthorized applications and scripts from running, bolster network monitoring to detect anomalies, and minimize service exposure by disabling unnecessary ports. Enhancing email security through advanced filtering and anti-spoofing measures can also help thwart phishing attempts and other email-based threats. Juliette Hudson, the CTO of CybaVerse, underscores the importance of timely patching and remediation in guarding against Ghost ransomware attacks, highlighting the urgent need for security updates to prevent exploitation of vulnerabilities. Additionally, she emphasizes the significance of cybersecurity hygiene, vulnerability testing, and security awareness training to bolster defense mechanisms against evolving threats.
Overall, the threat posed by Ghost ransomware underscores the critical need for organizations to prioritize cybersecurity measures and remain vigilant against potential attacks. By proactively implementing security best practices and staying informed about emerging threats, businesses can fortify their defenses and minimize the risk of falling victim to ransomware incidents.