A Ghost ransomware group also referred to as Cring, has been actively exploiting vulnerabilities in software and firmware as recently as January 2025, according to an alert issued Wednesday by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
Operating from China, Ghost has been targeting internet-facing services with unpatched security flaws—some of which could have been mitigated years ago. Cybersecurity researchers first detected the group’s activities in 2021, and their recent attacks continue to compromise organizations across more than 70 countries, including within China itself.
Scope of the Threat
The alert, released in collaboration with the Multi-State Information Sharing and Analysis Center (MS-ISAC), highlights Ghost’s focus on vulnerabilities in:
- Unpatched Fortinet security appliances
- Adobe ColdFusion web application servers
- Microsoft Exchange servers exposed to ProxyShell attack chain vulnerabilities
These vulnerabilities enable Ghost to breach systems, deploy ransomware, and demand financial payments from victims.
The FBI, CISA, and MS-ISAC emphasized that the group’s targets include critical infrastructure, healthcare facilities, educational institutions, government networks, religious organizations, technology firms, manufacturing companies, and small- to medium-sized businesses.
Ghost Ransomware: Tactics, Techniques, and Procedures (TTPs)
Ghost actors have developed various strategies to evade detection and complicate attribution. They frequently rotate their ransomware executable payloads, modify ransom note texts, switch file extensions for encrypted files, and use multiple ransom email addresses.
As a result, cybersecurity experts have associated different names with the group over time, including Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
Exploitation and Attack Methods
Ghost ransomware actors rely on publicly available code to exploit well-known Common Vulnerabilities and Exposures (CVEs), often in systems where patches have not been applied. Some of the vulnerabilities they have actively exploited include:
- Fortinet FortiOS (CVE-2018-13379)
- Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960)
- Microsoft SharePoint (CVE-2019-0604)
- Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) – ProxyShell attack chain vulnerabilities
Upon gaining access, Ghost actors deploy malicious tools such as Cobalt Strike Beacon malware to implant themselves within victim networks. They often upload web shells to compromised servers, leveraging Windows Command Prompt and PowerShell to execute further attacks.
Persistence and Privilege Escalation
While Ghost actors typically only spend a few days within a victim’s network before deploying ransomware, they have been observed creating new local and domain accounts, modifying existing account passwords, and deploying additional web shells.
To escalate privileges, they exploit weaknesses in system configurations and use publicly available tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato. By impersonating the SYSTEM user, they can run their malicious software with elevated privileges, allowing them to cause maximum disruption.
Impact and Financial Motivation
Ghost’s primary goal is financial gain. Ransom demands have varied widely, sometimes reaching hundreds of thousands of dollars. However, Ghost actors tend to abandon attempts when faced with hardened security systems that restrict lateral movement across networks.
The impact of Ghost ransomware attacks differs on a case-by-case basis. While some organizations experience data encryption and operational disruptions, others with robust backup and recovery solutions have managed to restore operations without paying a ransom.
Recommended Mitigations
The FBI, CISA, and MS-ISAC strongly urge organizations to take the following steps to mitigate the risks associated with Ghost ransomware attacks:
1. Implement Regular System Backups
- Maintain known-good backups that are stored offline or segmented from source systems.
- Ensure that backup solutions cannot be altered or encrypted by potentially compromised network devices.
2. Patch Known Vulnerabilities
- Apply timely security updates to operating systems, software, and firmware.
- Prioritize patching vulnerabilities actively exploited by Ghost:
- CVE-2018-13379 (Fortinet FortiOS)
- CVE-2010-2861, CVE-2009-3960 (Adobe ColdFusion)
- CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (Microsoft Exchange – ProxyShell)
3. Segment Networks to Restrict Lateral Movement
- Separate critical assets from less sensitive parts of the network.
- Limit access to essential services through securely configured VPNs or firewalls.
4. Enforce Multi-Factor Authentication (MFA)
- Require phishing-resistant MFA for privileged accounts and email services.
- Monitor for unauthorized changes to authentication mechanisms.
5. Enhance Email Security
- Deploy advanced email filtering to block phishing attempts.
- Implement DMARC, DKIM, and SPF to prevent email spoofing.
6. Monitor for Unauthorized PowerShell Use
- Ghost actors heavily rely on PowerShell for malicious operations.
- Restrict PowerShell access to only essential users.
- Implement PowerShell allowlisting for scripts and network traffic.
7. Identify and Investigate Abnormal Network Activity
- Watch for unusual commands, scripts, and network traffic patterns.
- Conduct regular scans to detect unauthorized account modifications.
8. Disable Unused Services and Ports
- Close unnecessary ports like RDP (3389), FTP (21), and SMB (445).
- Restrict the exposure of internal services to external networks.
Conclusion
Ghost ransomware remains a persistent threat to organizations worldwide, with attacks escalating as vulnerabilities in outdated software remain unpatched. By implementing the recommended security measures, organizations can significantly reduce the likelihood of falling victim to this financially motivated cybercriminal group.
The FBI, CISA, and MS-ISAC continue to monitor Ghost’s activities and urge organizations to stay vigilant, apply patches promptly, and bolster cybersecurity defenses against evolving ransomware threats.
