The US cybersecurity agency CISA and the FBI have issued a joint alert on a Chinese ransomware operation named Ghost that has hit organizations in over 70 countries.
Also known as Cring, the ransomware family has been observed in attacks since 2021, targeting organizations across critical infrastructure, education, government, manufacturing, and technology sectors, as well as religious institutions.
“Ghost actors, located in China, conduct these widespread attacks for financial gain,” CISA and the FBI note in the joint advisory.
The two agencies warn that the ransomware group often rotates its payloads, changes the extensions appended to the encrypted files, and relies on multiple ransom email addresses, which has made attribution difficult.
“Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe,” the advisory reads.
The Ghost ransomware group, CISA and the FBI note, exploits known vulnerabilities in internet-accessible appliances and services for initial access, and deploys a web shell, a Cobalt Strike beacon, and open source tools for privilege escalation and lateral movement before deploying and executing file-encrypting ransomware.
The group has been observed exploiting security defects in Fortinet FortiOS (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604) and Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 – collectively called ProxyShell).
Usually moving from initial access to ransomware deployment within days, the Ghost hackers do not focus on achieving persistence, although they have been observed creating new accounts and changing the passwords for existing ones.
The ransomware gang was also seen harvesting passwords and password hashes, disabling antivirus software such as Windows Defender, and relying on Cobalt Strike and open source tools for domain and network discovery.
After gaining elevated privileges, the attackers would use Windows Management Instrumentation Command-Line (WMIC) to run PowerShell commands on other systems on the network and move laterally.
“In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim,” CISA and the FBI say.
Although it has been claiming the theft of files for extortion purposes, the ransomware group does not frequently steal large amounts of information, the joint advisory reveals.
Before encrypting the victim’s data, the Ghost gang clears Windows Event logs and deletes volume shadow copies and disables the service, to prevent data recovery.
“Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software,” CISA and the FBI say.
Related: Chinese Cyberspy Possibly Launching Ransomware Attacks as Side Job
Related: Authorities Disrupt 8Base Ransomware, Arrest Four Russian Operators
Related: Ransomware Payments Dropped to $813 Million in 2024
Related: Ransomware Groups Abuse Microsoft Services for Initial Access
