FBI and CISA Issue Alert on Recent Ghost/Cring Ransomware Activity
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert warning of recent ransomware activity by the group known as Ghost, also referred to as Cring. According to the advisory released on Wednesday, the group has been actively exploiting vulnerabilities in software and firmware as recently as January.
Operating from China, Ghost primarily targets internet-facing services with unpatched security flaws—many of which have had available fixes for years. Cybersecurity researchers first identified the group in 2021, and its indiscriminate attacks have compromised organizations in more than 70 countries, including some within China, according to the alert issued in collaboration with the Multi-State Information Sharing and Analysis Center (MS-ISAC).
The vulnerabilities exploited by Ghost include unpatched Fortinet security appliances, Adobe ColdFusion servers used for web applications, and Microsoft Exchange servers still vulnerable to the ProxyShell attack chain.
Since its emergence in 2021, Ghost has targeted a wide range of victims, including critical infrastructure, educational institutions, healthcare organizations, government networks, religious institutions, technology firms, manufacturing companies, and numerous small- and medium-sized businesses. The group’s primary motive is financial gain, with ransom demands sometimes reaching hundreds of thousands of dollars.
Ghost actors do not focus on maintaining long-term access to compromised networks. Instead, they typically operate within a short timeframe, often deploying ransomware within a single day of gaining initial access.
Utilizing widely known hacking tools such as Cobalt Strike and Mimikatz, the group deploys ransomware under filenames like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
The impact of Ghost ransomware varies among victims, with some experiencing significant disruptions. However, the alert notes that Ghost actors tend to abandon targets when they encounter robust security measures, such as proper network segmentation that prevents lateral movement within an organization’s systems.
Organizations are urged to apply all available patches, enhance network security, and implement strong segmentation strategies to mitigate the risk of Ghost ransomware attacks.
