Feds Sound Alarm About Ghost Ransomware Group
U.S authorities have issued a warning about the China-based Ghost ransomware group, which has conducted ransomware attacks in around 70 countries on multiple industry sectors including healthcare, education, religious institutions, technology, manufacturing, and government networks.
The group, also known as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture, has been active since at least 2021, and its victims include many small- to medium-sized businesses. According to the joint cybersecurity alert from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the group conducts attacks indiscriminately, targeting low-hanging fruit – businesses with poorly secured Internet-facing servers.
The group uses publicly available exploits for multiple vulnerabilities, some of which date back to 2009. The group has exploited vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), Adobe ColdFusion servers (CVE2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE2021-34473, CVE-2021-34523, and CVE-2021-31207).
In contrast to many ransomware groups, Ghost actors prioritize speed and do not have a major focus on persistence, often deploying their ransomware payloads the same day that initial access is gained to a victim’s network. More recently, the group has been observed deploying web shells on victims’ web servers, creating new local and domain accounts, and changing passwords for existing accounts.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Cobalt Strike is used to identify system processes and antivirus protections, which are subsequently disabled, including disabling Windows Defender on network-connected devices. Ghost actors use Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user and run Beacon a second time with elevated privileges. They have also been observed to use a wide range of open source tools for privilege escalation, several of which would not typically be used by legitimate users, for instance, SharpZeroLogon, BadPotato, and GodPotato. Windows Management Instrumentation Command-Line (WMIC) is often used to run PowerShell commands on additional network systems. When lateral movement is not possible, attacks have simply been abandoned and the group does not tend to spend time attempting to breach hardened systems.
While many ransomware groups spend time identifying and exfiltrating large amounts of sensitive data, data exfiltration is often limited. Threats are issued to publish stolen data, but Ghost actors do not frequently exfiltrate highly sensitive data such as intellectual property or personally identifying information, limiting the harm caused by data leaks. The main aim of attacks is to encrypt data to obtain a ransom payment in exchange for the decryption keys, with ransom demands generally in the range of tens to hundreds of thousands of dollars.
The cybersecurity advisory includes Indicators of Compromise (IoCs) and recommended mitigations, the most important being to improve baseline security by patching known vulnerabilities promptly, training the workforce to recognize phishing attempts, using phishing-resistant multifactor authentication on email and privileged accounts, segmenting networks to prevent lateral movement, and regularly backing up data, ensuring backups are not accessible from source systems.
