CISA and the FBI mentioned attackers deploying Ghost ransomware have breached victims from a number of trade sectors throughout over 70 nations, together with important infrastructure organizations.
Different industries impacted embrace healthcare, authorities, training, know-how, manufacturing, and quite a few small and medium-sized companies.
“Starting early 2021, Ghost actors started attacking victims whose web dealing with companies ran outdated variations of software program and firmware,” CISA, the FBI, and the Multi-State Data Sharing and Evaluation Heart (MS-ISAC) mentioned in a joint advisory launched on Wednesday.
“This indiscriminate concentrating on of networks containing vulnerabilities has led to the compromise of organizations throughout greater than 70 nations, together with organizations in China.”
Ghost ransomware operators steadily rotate their malware executables, change the file extensions of encrypted recordsdata, alter the contents of their ransom notes, and make the most of a number of e-mail addresses for ransom communications, which has usually led to fluctuating attribution of the group over time.
Names linked to this group embrace Ghost, Cring, Crypt3r, Phantom, Strike, Howdy, Wickrme, HsHarada, and Rapture, with ransomware samples used of their assaults together with Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
This financially motivated ransomware group leverages publicly accessible code to use safety flaws in susceptible servers. They aim vulnerabilities left unpatched in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Trade (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
To defend towards Ghost ransomware assaults, community defenders are suggested to take the next measures:
- Make common and off-site system backups that may’t be encrypted by ransomware,
- Patch working system, software program, and firmware vulnerabilities as quickly as attainable,
- Deal with safety flaws focused by Ghost ransomware (i.e., CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207),
- Section networks to restrict lateral motion from contaminated gadgets,
- Implement phishing-resistant multi-factor authentication (MFA) for all privileged accounts and e-mail companies accounts.
Proper after Amigo_A and Swisscom’s CSIRT workforce first noticed Ghost ransomware in early 2021, their operators had been dropping customized Mimikatz samples, adopted by CobaltStrike beacons, and deploying ransomware payloads utilizing the legit Home windows CertUtil certificates supervisor to bypass safety software program.
Along with being exploited for preliminary entry in Ghost ransomware assaults, state-backed hacking teams that scanned for susceptible Fortinet SSL VPN home equipment additionally focused the CVE-2018-13379 vulnerability.
Attackers additionally abused the identical safety vulnerability to breach Web-exposed U.S. election assist programs reachable over the Web.
Fortinet warned prospects to patch their SSL VPN home equipment towards CVE-2018-13379 a number of occasions in August 2019, July 2020, November 2020, and once more in April 2021.
The joint advisory issued by CISA, the FBI, and MS-ISAC as we speak additionally contains indicators of compromise (IOCs), ways, methods, and procedures (TTPs), and detection strategies linked to earlier Ghost ransomware exercise recognized throughout FBI investigations as just lately as January 2025.
