The Ghost ransomware group, also known as Cring, has been actively exploiting vulnerabilities in software and firmware, according to an alert issued by the FBI and CISA. This group, operating from China, has been targeting internet-facing services with unpatched security flaws, compromising organizations across more than 70 countries.
The alert released in collaboration with the Multi-State Information Sharing and Analysis Center (MS-ISAC) emphasized Ghost’s focus on vulnerabilities in Unpatched Fortinet security appliances, Adobe ColdFusion web application servers, and Microsoft Exchange servers exposed to the ProxyShell attack chain vulnerabilities. These vulnerabilities allow Ghost to breach systems, deploy ransomware, and demand financial payments from victims. The group’s targets include critical infrastructure, healthcare facilities, educational institutions, government networks, religious organizations, technology firms, manufacturing companies, and small to medium-sized businesses.
Ghost ransomware actors have developed various tactics, techniques, and procedures to evade detection and complicate attribution. They frequently rotate their ransomware payloads, modify ransom note texts, switch file extensions for encrypted files, and use multiple ransom email addresses. Cybersecurity experts have associated different names with the group over time, including Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
The actors rely on publicly available code to exploit well-known Common Vulnerabilities and Exposures (CVEs) in systems where patches have not been applied. Some of the vulnerabilities they have actively exploited include Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange – ProxyShell attack chain vulnerabilities. Upon gaining access, Ghost actors deploy malicious tools like Cobalt Strike Beacon malware to implant themselves within victim networks.
While Ghost actors typically spend a few days within a victim’s network before deploying ransomware, they create new accounts, modify existing passwords, and deploy additional web shells for persistence and privilege escalation. By exploiting weaknesses in system configurations and using publicly available tools, they escalate privileges and cause maximum disruption.
The primary goal of Ghost ransomware attacks is financial gain, with ransom demands varying widely. The impact of these attacks differs, with some organizations experiencing data encryption and operational disruptions, while others have managed to restore operations without paying a ransom.
To mitigate the risks associated with Ghost ransomware attacks, organizations are advised to implement regular system backups, patch known vulnerabilities, segment networks to restrict lateral movement, enforce multi-factor authentication, enhance email security, monitor for unauthorized PowerShell use, identify and investigate abnormal network activity, and disable unused services and ports.
In conclusion, Ghost ransomware remains a persistent threat, and organizations worldwide can significantly reduce the likelihood of falling victim by implementing recommended security measures. The FBI, CISA, and MS-ISAC continue to monitor Ghost’s activities and urge organizations to stay vigilant against evolving ransomware threats.