Recent Ghost/Cring ransomware activity prompts alert from FBI, CISA
A ransomware group known as Ghost has been exploiting vulnerabilities in software and firmware as recently as January, according to an alert issued Wednesday by the FBI and Cybersecurity and Infrastructure Security Agency (CISA).
The group, which is also known as Cring and operates from China, focuses on internet-facing services with unpatched bugs that users could have mitigated years ago, according to the agencies. Cybersecurity researchers first began warning about the group in 2021.
“This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China,” says the alert, released with the Multi-State Information Sharing and Analysis Center (MS-ISAC).
The vulnerabilities include bugs in unpatched Fortinet security appliances; servers running Adobe’s ColdFusion for web applications; and Microsoft Exchange servers still exposed to the ProxyShell attack chain, the alert says.
Since 2021, victims include “critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses,” the alert says. Financial gain is the goal, with ransom demands sometimes reaching hundreds of thousands of dollars.
“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” the agencies say. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.”
The group uses common hacking tools such as Cobalt Strike and Mimikatz, and the deployed malware often has filenames like Cring.exe, Ghost.exe, ElysiumO.exe and Locker.exe, the alert says.
“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the agencies say. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.”
Joe Warminsky
is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. He previously he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.