The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly issued an advisory about the growing threat of Ghost ransomware, also known as Cring, which has impacted over 70 organizations worldwide since its inception in 2021. These organizations span critical sectors such as healthcare, government, education, and private enterprises, with the attacks being indiscriminate and largely targeting those that fail to apply security patches. The advisory highlights the group’s sophisticated tactics, with the Ghost actors believed to be operating out of China, using advanced techniques to exploit publicly known vulnerabilities in outdated software and firmware, including CVE-2018-13379 (Fortinet FortiOS), CVE-2010-2861 (Adobe ColdFusion), and ProxyShell flaws affecting Microsoft Exchange.
Once the actors gain access to a network, they deploy ransomware payloads such as Cring.exe, Ghost.exe, and Locker.exe, which encrypt critical data. The attackers demand cryptocurrency payments ranging from tens to hundreds of thousands of dollars in exchange for decryption. While the ransomware group claims to exfiltrate sensitive data for potential sale, most investigations have found limited instances of data theft. Ghost ransomware actors employ tools like Cobalt Strike Beacon for command-and-control operations, use privilege escalation techniques such as SharpZeroLogon and BadPotato, and disable antivirus software to evade detection, complicating attribution efforts.
To increase the complexity of their attacks, the group frequently rotates file extensions for encrypted files and alters ransom notes, making it more difficult to track the actors.
Victims are typically contacted through encrypted communication channels like ProtonMail, Tutanota, or TOX IDs embedded in the ransom notes. In response to the growing threat, CISA and the FBI recommend that organizations strengthen their cybersecurity by applying software and firmware patches, implementing network segmentation, and enforcing multi-factor authentication for privileged accounts. Additionally, they advise maintaining offline backups of critical data and monitoring the unauthorized use of administrative tools, particularly PowerShell.
The advisory underscores the urgency of enhancing cybersecurity resilience to defend against such attacks, especially given the potential for Ghost ransomware to disrupt critical infrastructure. CISA and the FBI also emphasize that paying ransoms does not guarantee data recovery and could further incentivize criminal activity. The federal agencies continue to encourage organizations to adopt robust cybersecurity practices, validate security controls through the MITRE ATT&CK framework, and report ransomware incidents to authorities in order to mitigate the risk posed by the evolving ransomware threat landscape.
