The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory warning about the increasing threat posed by Ghost ransomware.
This malicious campaign has already impacted more than 70 organizations across various sectors, exploiting vulnerabilities in widely-used software to gain access to targeted networks.
Exploitation of Vulnerabilities
The FBI has observed Ghost ransomware operators, referred to as “Ghost actors,” exploiting public-facing applications associated with several Common Vulnerabilities and Exposures (CVEs).
These include vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange servers using the ProxyShell attack chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
By leveraging these flaws, attackers gain initial access to networks and implant malicious tools.
Tactics and Techniques
Ghost actors employ a variety of sophisticated methods to execute their attacks:
- Execution and Persistence: Once inside a network, attackers deploy web shells to compromised servers and use tools like Windows Command Prompt or PowerShell to download Cobalt Strike Beacon malware. This commercially available tool is misused to simulate adversarial operations. Despite their efficiency, Ghost actors typically spend only a few days on victim networks, often deploying ransomware within 24 hours of initial compromise.
- Privilege Escalation: Attackers use built-in Cobalt Strike functions or open-source tools like “SharpZeroLogon” and “BadPotato” to escalate privileges. These tools allow them to impersonate high-level users or gain administrative access.
- Credential Access: Techniques such as password dumping via Mimikatz or Cobalt Strike’s “hashdump” function enable attackers to collect credentials for unauthorized logins.
Ghost actors disable antivirus software and Windows Defender to evade detection using specific commands.
They also leverage built-in tools for discovery, such as SharpShares for network share discovery and Ladon 911 for remote systems discovery.
For lateral movement, they rely on Windows Management Instrumentation Command-Line (WMIC) and PowerShell commands to infect additional systems.
Ghost ransomware variants—Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe—encrypt files on compromised systems while excluding critical directories to maintain device operability.
Victims are left unable to recover encrypted data without a decryption key. Ransom demands range from tens to hundreds of thousands of dollars in cryptocurrency.
CISA and the FBI urge organizations to patch known vulnerabilities promptly, implement robust security measures such as network segmentation, and monitor for indicators of compromise.
The advisory underscores the importance of proactive defense strategies against this evolving ransomware threat.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here