The US authorities, CISA and FBI, have issued warnings about the Chinese ransomware group Ghost, which has been active since 2021 and has targeted vulnerable systems in over 70 countries, including the US. Their operations span various sectors from critical infrastructure to small businesses, predominantly using publicly available exploit code to compromise outdated software and demanding ransoms while threatening data leaks. Affected: critical infrastructure, education, healthcare, government networks, religious institutions, technology and manufacturing companies, small and medium enterprises.
Keypoints :
- Ghost ransomware group has been active since early 2021.
- Targeted systems with outdated software in over 70 countries, including the US and China.
- Victims include critical infrastructure, schools, healthcare, and SMBs.
- Utilizes a variety of encrypted file suffixes and ransom messages.
- Employs publicly available exploit code for known vulnerabilities.
- There are multiple aliases for the group, including Cring, Crypt3r, and Rapture.
- Commonly targets vulnerabilities in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange.
- Employs tools like Cobalt Strike to maintain access and deploy payloads.
- Claims to sell stolen data if ransoms are not paid, but exfiltrates minimal significant data.
- Uses IP-URI connections for C2 and relies on encrypted email services.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: The group uses Cobalt Strike for command and control.
- T1210 – Exploitation of Remote Services: Utilizes known exploits in outdated software.
- T1070.001 – Indicator Removal on Host: Deletes Windows Event logs to hinder recovery efforts.
- T1583.001 – Buy or Build: Leverages publicly available exploit code.
- T1083 – File and Directory Discovery: Employs Cobalt Strike for reconnaissance in the target network.
Indicator of Compromise :
- [File] Cring.exe
- [File] Ghost.exe
- [File] ElysiumO.exe
- [File] Locker.exe
- [Email Domain] ProtonMail