CISA has issued a warning over the threat posed by the Ghost ransomware gang, which has been targeting vulnerable internet-facing services around the world for at least four years.
The agency released an advisory highlighting the group’s TTPs that were discovered through FBI investigations as recently as January 2025.
It stated that since early 2021, the group has been attacking entities whose internet-facing services were running outdated software and firmware. Since then it has been responsible for compromising organizations in across more than 70 countries.
“Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses,” the advisory warned.
The group is believed to be based in China, but CISA noted that because the group deploys a broad range of TTPs, this has led to varying attribution of its attacks.
Notably, among the 70 countries in which the group launched its attacks it has been recorded targeting countries in China as well.
The security agency said the group frequently rotates its ransomware payloads, file extensions for encrypted files, ransom email addresses, and the text in its ransom notes.
This diverse range of tactics has led to a wide number of names being attached to the group including, Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
Some of these names come from the names of the ransomware files deployed by the group, such as Cring.exe and Ghost.exe.
The Ghost ransomware group is highly effective
The FBI observed the group exploiting a series of CVEs in public-facing applications to gain initial access on their target’s networks.
Ghost threat actors have been tracked targeting a FortiOS path traversal flaw (CVE-2018-13379), two vulnerabilities in Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960, and a weakness in Microsoft Sharepoint (CVE-2019-0604).
The threat group was also observed exploiting a series of flaws affecting Microsoft Exchange, commonly known as the ProxyShell attack chain (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Once inside, they are typically found to upload a web shell to a compromised server and download Cobalt Strike Beacon malware that can be used in a number of different ways such as command execution, key logging, file transfer, privilege escalation, defense evasion, and lateral movement.
For example, the group has often used the Cobalt Strike functions to steal process tokens to impersonate the SYSTEM user in order to re-run the Beacon with escalated privileges.
CISA noted that the Ghost outfit is not particularly focused on persistence and usually only remains on the network for a few days – often moving from initial access to dropping their ransomware within the same day.
The advisory includes all the group’s IOCs, TTPS, ransom email addresses, ransom note, as well as a list of mitigation steps businesses can take to avoid compromise.
These include maintaining regular system backups, patching known vulnerabilities in internet-facing appliances, network segmentation to restrict lateral movement, monitoring for unauthorized PowerShell use, and disabling unused ports to limit the exposure of services.
MORE FROM ITPRO
