CISA has issued a warning over the threat posed by the Ghost ransomware gang, which has been targeting vulnerable internet-facing services around the world for at least four years.
The agency released an advisory highlighting the group’s TTPs that were discovered through FBI investigations as recently as January 2025.
It stated that since early 2021, the group has been attacking entities whose internet-facing services were running outdated software and firmware. Since then it has been responsible for compromising organizations in across more than 70 countries.
“Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses,” the advisory warned.
The group is believed to be based in China, but CISA noted that because the group deploys a broad range of TTPs, this has led to varying attribution of its attacks.
Notably, among the 70 countries in which the group launched its attacks it has been recorded targeting countries in China as well.
The security agency said the group frequently rotates its ransomware payloads, file extensions for encrypted files, ransom email addresses, and the text in its ransom notes.
This diverse range of tactics has led to a wide number of names being attached to the group including, Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
Some of these names come from the names of the ransomware files deployed by the group, such as Cring.exe and Ghost.exe.
The Ghost ransomware group is highly effective
The FBI observed the group exploiting a series of CVEs in public-facing applications to gain initial access on their target’s networks.
Ghost threat actors have been tracked targeting a FortiOS path traversal flaw (CVE-2018-13379), two vulnerabilities in Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960, and a weakness in Microsoft Sharepoint (CVE-2019-0604).
The threat group was also observed exploiting a series of flaws affecting Microsoft Exchange, commonly known as the ProxyShell attack chain (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Once inside, they are typically found to upload a web shell to a compromised server and download Cobalt Strike Beacon malware that can be used in a number of different ways such as command execution, key logging, file transfer, privilege escalation, defense evasion, and lateral movement.
For example, the group has often used the Cobalt Strike functions to steal process tokens to impersonate the SYSTEM user in order to re-run the Beacon with escalated privileges.
CISA noted that the Ghost outfit is not particularly focused on persistence and usually only remains on the network for a few days – often moving from initial access to dropping their ransomware within the same day.
RELATED WHITEPAPER
The advisory includes all the group’s IOCs, TTPS, ransom email addresses, ransom note, as well as a list of mitigation steps businesses can take to avoid compromise.
These include maintaining regular system backups, patching known vulnerabilities in internet-facing appliances, network segmentation to restrict lateral movement, monitoring for unauthorized PowerShell use, and disabling unused ports to limit the exposure of services.
MORE FROM ITPRO
- The ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry
- The new ransomware groups worrying security researchers in 2025
- Why ‘malware as a service’ is becoming a serious problem
-
The Race Is On for Higher Ed to Adapt: Equity in Hyflex Learning -
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
