CISA and FBI Warn of Global Threat from Ghost Ransomware
Summary:
U.S. authorities have released an advisory detailing the activities of Ghost, a financially motivated ransomware group originating from China, which has compromised organizations across more than 70 countries. The FBI, CISA, and MS-ISAC issued the alert, providing new indicators of compromise, and tactics, techniques, and procedures observed in Ghost’s operations. Unlike most ransomware groups, which predominantly operate from former Soviet states, Ghost is notable for its Chinese origin, making it an outlier in the ransomware landscape. However, its attack strategies and methodologies remain consistent with those of other financially motivated ransomware groups.
Ghost gains initial access by exploiting known vulnerabilities in public-facing systems, including Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange. Once access is established, the group uploads web shells to compromised servers and executes malicious payloads using Windows Command Prompt and PowerShell. A key component of their attack chain is Cobalt Strike Beacon, which is deployed for remote access, lateral movement, and command-and-control communications. Unlike advanced persistent threat groups that maintain long-term access to victim networks, Ghost focuses on rapid execution, frequently moving from initial compromise to full ransomware deployment within a single day.
Ghost utilizes Cobalt Strike and a variety of open-source tools for privilege escalation, credential harvesting, domain account discovery, lateral movement, and evasion of security defenses. The group also leverages Cobalt Strike to identify and disable anti-malware solutions running on victim machines, reducing the likelihood of detection and response. Their approach prioritizes speed and efficiency, with minimal emphasis on maintaining persistent access within compromised networks.
Security Officer Comments:
Despite issuing ransom demands that threaten to sell stolen data, Ghost actors do not typically exfiltrate large amounts of information. Unlike some ransomware groups that focus on intellectual property theft or personally identifiable information (PII) exfiltration, Ghost appears more concerned with financial extortion rather than data-driven blackmail. The advisory underscores that while the group's origins are uncommon for ransomware operations, its tactics, tools, and execution methods remain aligned with the broader ransomware ecosystem, particularly in its reliance on exploiting known vulnerabilities and deploying Cobalt Strike for post-exploitation activities.
Suggested Corrections:
CISA urged organizations to mitigate the threat from Ghost by:
https://www.infosecurity-magazine.com/news/cisa-fbi-warn-global-threat-ghost/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
U.S. authorities have released an advisory detailing the activities of Ghost, a financially motivated ransomware group originating from China, which has compromised organizations across more than 70 countries. The FBI, CISA, and MS-ISAC issued the alert, providing new indicators of compromise, and tactics, techniques, and procedures observed in Ghost’s operations. Unlike most ransomware groups, which predominantly operate from former Soviet states, Ghost is notable for its Chinese origin, making it an outlier in the ransomware landscape. However, its attack strategies and methodologies remain consistent with those of other financially motivated ransomware groups.
Ghost gains initial access by exploiting known vulnerabilities in public-facing systems, including Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange. Once access is established, the group uploads web shells to compromised servers and executes malicious payloads using Windows Command Prompt and PowerShell. A key component of their attack chain is Cobalt Strike Beacon, which is deployed for remote access, lateral movement, and command-and-control communications. Unlike advanced persistent threat groups that maintain long-term access to victim networks, Ghost focuses on rapid execution, frequently moving from initial compromise to full ransomware deployment within a single day.
Ghost utilizes Cobalt Strike and a variety of open-source tools for privilege escalation, credential harvesting, domain account discovery, lateral movement, and evasion of security defenses. The group also leverages Cobalt Strike to identify and disable anti-malware solutions running on victim machines, reducing the likelihood of detection and response. Their approach prioritizes speed and efficiency, with minimal emphasis on maintaining persistent access within compromised networks.
Security Officer Comments:
Despite issuing ransom demands that threaten to sell stolen data, Ghost actors do not typically exfiltrate large amounts of information. Unlike some ransomware groups that focus on intellectual property theft or personally identifiable information (PII) exfiltration, Ghost appears more concerned with financial extortion rather than data-driven blackmail. The advisory underscores that while the group's origins are uncommon for ransomware operations, its tactics, tools, and execution methods remain aligned with the broader ransomware ecosystem, particularly in its reliance on exploiting known vulnerabilities and deploying Cobalt Strike for post-exploitation activities.
Suggested Corrections:
CISA urged organizations to mitigate the threat from Ghost by:
- Regularly backing up and storing backups separately from source systems
- Patching known vulnerabilities in a timely, risk-based manner, especially CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207
- Segmenting networks to restrict lateral movement
- Deploying phishing-resistant multi-factor authentication (MFA) for all privileged and email services accounts
https://www.infosecurity-magazine.com/news/cisa-fbi-warn-global-threat-ghost/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a