In a joint cybersecurity advisory released on February 2025 the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) revealed that the Ghost ransomware group has targeted over 70 organizations globally.
The advisory highlights the group’s exploitation of unpatched software vulnerabilities to infiltrate systems and deploy ransomware, causing widespread disruption across critical sectors.
Attackers Exploit Software Vulnerabilities
The Ghost ransomware group, also known by aliases such as Cring, Crypt3r, and Phantom, has been active since early 2021.
The attackers are believed to operate from China and primarily seek financial gain.
Their victims span multiple industries, including healthcare, education, manufacturing, government networks, and small-to-medium-sized businesses.
Notably, critical infrastructure entities have also been affected.
Attack Methodology
Ghost actors exploit publicly known vulnerabilities in outdated software and firmware.
Key vulnerabilities include CVE-2018-13379 (Fortinet FortiOS), CVE-2010-2861 (Adobe ColdFusion), and CVE-2021-34473 (Microsoft Exchange ProxyShell).
Once inside a network, they use advanced tools such as Cobalt Strike for lateral movement and privilege escalation.
The group has been observed deploying ransomware variants like Cring.exe and Ghost.exe, which encrypt files and demand ransom payments ranging from tens to hundreds of thousands of dollars in cryptocurrency.
The attackers rotate file extensions for encrypted data, modify ransom notes, and use multiple email addresses to evade detection.
Despite claims of exfiltrating data for sale, evidence suggests that data theft is limited in scope.
To counter Ghost ransomware attacks, the advisory recommends organizations implement robust cybersecurity practices:
- Regular Backups: Maintain offline backups to ensure data recovery without paying ransoms.
- Patch Management: Apply security updates promptly to address known vulnerabilities.
- Network Segmentation: Limit lateral movement within networks by isolating infected devices.
- Phishing-Resistant MFA: Enforce multi-factor authentication for privileged accounts.
- Monitoring Tools: Detect unusual network activity indicative of ransomware operations.
Additionally, organizations are urged to restrict unused ports like RDP (3389) and SMB (445) and enhance email security through filtering and anti-spoofing protocols.
The advisory underscores the importance of proactive cybersecurity measures as ransomware groups continue to evolve their tactics.
Ghost actors have demonstrated agility by leveraging open-source tools for privilege escalation and defense evasion.
Their reliance on encrypted communication platforms such as ProtonMail further complicates incident response efforts.
CISA, FBI, and MS-ISAC strongly discourage ransom payments, emphasizing that compliance does not guarantee data recovery and may incentivize further attacks.
Victims are encouraged to report incidents to federal authorities for coordinated response efforts.
As ransomware threats grow increasingly sophisticated, this advisory serves as a stark reminder for organizations to prioritize cybersecurity resilience through vigilance and preparedness.
