Ghost Ransomware

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory warning of widespread attacks by the Ghost ransomware group, which has compromised over 70 organizations across critical sectors globally. 

Operating under aliases such as Cring, Crypt3r, and Phantom, these state-affiliated cybercriminals suspected to originate from China exploit unpatched vulnerabilities in public-facing applications to deploy ransomware variants like Ghost.exe and Cring.exe. 

The attacks, targeting sectors including healthcare, government, education, and manufacturing, leverage sophisticated techniques to disable security protocols, encrypt data, and demand ransoms in cryptocurrency.

Google News

Exploited Vulnerabilities and Initial Access

Ghost actors exploit well-documented Common Vulnerabilities and Exposures (CVEs) to infiltrate networks, prioritizing outdated systems lacking critical patches. 

Key vulnerabilities include CVE-2018-13379 in Fortinet FortiOS appliances, CVE-2010-2861 and CVE-2009-3960 in Adobe ColdFusion servers, and Microsoft Exchange vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 (part of the ProxyShell attack chain). 

These exploits enable attackers to upload web shells and execute malicious payloads via PowerShell or Command Prompt.

Once inside a network, Ghost actors rapidly disable security measures using commands such as:

This PowerShell script deactivates Windows Defender’s real-time monitoring, intrusion prevention, and script scanning—critical defenses that could otherwise detect ransomware activity. 

The group then deploys ransomware executables like ElysiumO.exe or Locker.exe, which encrypt files while excluding system-critical directories to avoid rendering devices inoperable. 

Encryption is followed by the deletion of Volume Shadow Copies and Windows Event Logs, hindering forensic recovery efforts.

Command and Control Infrastructure

Ghost actors rely heavily on Cobalt Strike Beacon, a penetration testing tool repurposed for malicious command-and-control (C2) operations. C2 communications occur over HTTP/HTTPS, often using direct IP addresses instead of domains.

For exfiltration, limited data transfers to platforms like Mega.nz or Cobalt Strike Team Servers are observed, though Ghost typically threatens data leakage rather than executing large-scale exfiltration.

Attack Methodology and Tactical Progression

Ghost operations prioritize speed, often progressing from initial compromise to ransomware deployment within hours. Lateral movement is achieved via Windows Management Instrumentation Command-Line (WMIC) and encoded PowerShell scripts, such as:

This script executes Cobalt Strike Beacon in memory, enabling stealthy payload delivery. Tools like SharpShares and Ladon 911 facilitate network share discovery and SMB vulnerability scanning (CVE-2017-0143/0144).

While Ghost minimizes persistence mechanisms, they sporadically create local/domain accounts and use open-source tools like BadPotato and GodPotato for privilege escalation. 

These tools exploit Windows token impersonation to gain SYSTEM-level access, which is critical for deploying secondary payloads.

Mitigation Strategies and Best Practices

  • Patch Management: Prioritize patching vulnerabilities like CVE-2018-13379 and ProxyShell CVEs within risk-informed timeframes.
  • Network Segmentation: Implement strict segmentation to limit lateral movement from compromised devices.
  • Phishing-Resistant MFA: Enforce MFA for all privileged and email service accounts to prevent credential theft.
  • Backup Integrity: Maintain offline, immutable backups to enable recovery without ransom payments.

Organizations should monitor for anomalous PowerShell activity, unauthorized use of tools like SharpZeroLogon, and unexpected network scans.

Behavioral analytics can detect patterns such as mass file encryption or log deletion hallmarks of ransomware activity.

By adhering to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and adopting a layered defense strategy encompassing timely patching, network segmentation, and rigorous access controls, organizations can mitigate risks that Ghost and similar threat actors pose. 

Collaborative initiatives like #StopRansomware remain vital in disseminating threat intelligence and fostering resilience across public and private sectors.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here

Kaaviya
Kaaviya
http://cybersecuritynews.com/
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.