The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have raised alarms over an ongoing global ransomware campaign attributed to Chinese cybercriminals, operating under the name “Ghost” (also known as Cring). This sophisticated operation has already compromised organizations in over 70 countries.
The Ghost ransomware group, active since 2021, has targeted sectors critical to national security, including government, education, manufacturing, technology, and religious institutions. The group, believed to be financially motivated, employs a variety of tactics that complicate attribution, such as rotating payloads, altering encrypted file extensions, and using multiple ransom email addresses.
A Complex and Evolving Threat
The Ghost ransomware gang is notorious for exploiting known vulnerabilities in internet-exposed devices and services to gain initial access. Once inside a network, they deploy tools like Cobalt Strike, web shells, and open-source software to escalate privileges and move laterally within the system. Their preferred targets include:
- Fortinet FortiOS (CVE-2018-13379)
- Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960)
- Microsoft SharePoint (CVE-2019-0604)
- Microsoft Exchange (ProxyShell vulnerabilities)
Upon achieving elevated access, the group typically clears Windows Event Logs, deletes Volume Shadow Copies, and disables Windows Defender to ensure the encryption of files is irreversible. Once the encryption is completed, they demand ransom payments in cryptocurrency, often amounting to tens or even hundreds of thousands of dollars for the decryption keys.
Tactics and Techniques
While the group has claimed to steal files for extortion, CISA and the FBI note that Ghost actors rarely exfiltrate large amounts of data. Instead, they focus on disrupting operations and encrypting sensitive information. In some cases, if lateral movement within a network fails, they have been observed abandoning the attack entirely.
The Ghost ransomware operation highlights the evolving threat posed by state-linked cybercriminal groups, capable of launching attacks that exploit a broad range of vulnerabilities across both private sector and critical infrastructure targets.
Key Takeaways:
- Ghost (Cring) ransomware is attributed to Chinese threat actors and has affected over 70 countries.
- The group exploits known vulnerabilities in widely-used software and services to gain initial access.
- Once inside, they use advanced tools for lateral movement, privilege escalation, and file encryption.
- Their ultimate goal is financial extortion, demanding large ransom sums, often paid in cryptocurrency.
Organizations are urged to implement robust cybersecurity measures, including patching vulnerabilities, monitoring network traffic, and using advanced endpoint protection solutions to defend against this sophisticated threat.
As this threat continues to evolve, both CISA and the FBI are advising heightened vigilance across all sectors, especially those involved in critical infrastructure and sensitive data handling.
