Warnings Issued About Ghost Ransomware

A warning has been issued about the Ghost ransomware group following attacks on healthcare organizations and other sectors. While ransomware actors are often based in Russia, former Russian states, and Eastern Europe, the Ghost ransomware actors are believed to be based in China. The ransomware group, also known by the names Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture, has been in operation for around four years, according to a joint cybersecurity alert from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Rather than engaging in big game hunting, Ghost cyber actors predominantly conduct attacks on SMBs, where security tends to be far less advanced. The group typically exploits old unpatched vulnerabilities for initial access, with many attacks conducted on companies running Internet-facing services with outdated software. The group typically uses publicly available exploits for older vulnerabilities such as CVE-2018-13379 (Fortinet FortiOS appliances), CVE2010-2861 and CVE-2009-3960 (Adobe ColdFusion servers) CVE-2019-0604 (Microsoft SharePoint), and CVE2021-34473, CVE-2021-34523, and CVE-2021-31207 (Microsoft Exchange).

Many ransomware groups attempt to establish persistence and there is a reasonably long dwell time between initial access and the deployment of ransomware, but Ghost actors are focused on speedy attacks, typically deploying ransomware the same day the network is breached. Rather than spend time searching for sensitive data to exfiltrate, data theft appears to be secondary to file encryption, with relatively small amounts of data exfiltrated. Sensitive personal data and intellectual property is not typically exfiltrated, unless readily accessible. While threats are issued to publish the stolen data, the negative impacts of publishing data that is not particularly sensitive are relatively limited.

The attacks identified so far appear to be opportunistic in nature, conducted indiscriminately rather than targeted attacks, with several of the attacks on critical infrastructure, education, government, religious institutions, and manufacturing and tech firms in addition to healthcare organizations. Part of the problem of attributing attacks to the group has been frequent switching of ransomware executables, changing file extensions for encrypted files, different ransom notes, and multiple random email addresses for communication.

U.S. authorities note that Ghost actors often abandon attacks when they encounter hardened defenses and when lateral movement is not possible and simply move on to easier targets. As such, the best defense against Ghost ransomware attacks is improving baseline security. Recommended mitigations include patching known vulnerabilities promptly, segmenting networks, implementing multifactor authentication (ideally phishing-resistant multifactor authentication), monitoring for unauthorized use of PowerShell, limiting exposure of services by disabling unused ports, enhancing email security, and implementing allowlisting for applications, scripts, and network traffic.