The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC), published on Wednesday a joint Cybersecurity Advisory addressing Ghost (Cring) ransomware. The advisory provides network defenders with indicators of compromise (IOCs), tactics, techniques and procedures (TTPs), and detection methods associated with Ghost ransomware activity identified through FBI investigations.
These Ghost ransomware hackers conduct widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet-facing services. These malicious ransomware actors are known to use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) where available patches have not been applied to gain access to internet-facing servers.
“Beginning early 2021, Ghost actors began attacking victims whose internet-facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China,” the advisory detailed. “Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.”
Ghost hackers rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are – Cring[dot]exe, Ghost[dot]exe, ElysiumO[dot]exe, and Locker[dot]exe.
Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet-facing servers. Ghost actors exploit known vulnerabilities and target networks where available patches have not been applied.
The FBI has observed Ghost ransomware hackers obtaining initial access to networks by exploiting public-facing applications that are associated with multiple CVEs. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).
Ghost actors have been observed uploading a web shell to a compromised server and leveraging Windows Command Prompt and/or PowerShell to download and execute Cobalt Strike Beacon malware that is then implanted on the victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used to test an organization’s security controls.
Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local and domain accounts and change passwords for existing accounts. In 2024, Ghost actors were observed deploying web shells on victim web servers.
Relying on built-in Cobalt Strike functions to steal process tokens, Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation such as ‘SharpZeroLogon,’ ‘SharpGPPPass,’ ‘BadPotato, and ‘GodPotato.’ These privilege escalation tools would not generally be used by individuals with legitimate access and credentials.
The advisory revealed that the Ghost ransomware hackers use the built-in Cobalt Strike function ‘hashdump’ or Mimikatz to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices. “Ghost actors used their access through Cobalt Strike to display a list of running processes to determine which antivirus software is running so that it can be disabled. Ghost frequently runs a command to disable Windows Defender on network-connected devices.”
Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt Strike Team Servers. Victims and other trusted third parties have reported limited uses of Mega[dot]nz and installed web shells for similar limited data exfiltration.
These Ghost ransomware hackers rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS). Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, to download and execute Beacon malware, directly reference the C2 server’s IP address.
The advisory identified that the impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral movement to other devices.
Roger Grimes, data-driven defense evangelist at KnowBe4, identified a few new surprises in the latest advisory. “One is that the ransomware groups move from initial compromise to deployment of ransomware very quickly, often on the same day. This is quite different from traditional ransomware groups that may have days, weeks, or even months from the initial access gained to the deployment of the ransomware. Second, the frequent use of Cobalt Strike. I see the use of Cobalt Strike by ransomware groups as fairly common. If you’re not looking for and detecting Cobalt Strike instances, you’re just asking for trouble.”
Last, Grimes added in his written statement unpatched software and firmware (and zero-days) are involved in at least a third of successful compromises. “Every organization has a patching process, but most don’t get it perfect and if one-third of all successful compromises involved finding and exploiting vulnerable software and firmware, it really should be a primary focus for all organizations. You can’t just make it one of the many things you do out of hundreds of things you do. It has to be something you focus on and dedicate significant resources to (as you also need to do to mitigate social engineering). Because if you don’t, you’ll miss something and become the next ransomware victim.”
The FBI, CISA, and MS-ISAC recommend organizations implement mitigations to improve cybersecurity posture based on the Ghost ransomware activity. These mitigations align with the cross-sector cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend for organizations to implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, and TTPs.
Organizations must maintain regular system backups that are known-good and stored offline or are segmented from source systems; patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe; segment networks to restrict lateral movement from the initial infected devices and other devices in the same organization; require phishing-resistant MFA for access to privileged accounts and email services accounts; and train users to recognize phishing attempts.
They must also monitor for unauthorized use of PowerShell; implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access; identify, alert on, and investigate abnormal network activity; limit exposure of services by disabling unused ports; and enhance email security by implementing advanced filtering, blocking malicious attachments, and enabling DMARC, DKIM, and SPF to prevent spoofing.