Increasing ransomware volumes, particularly from China-affiliated Ghost (Cring) ransomware groups, have raised global cyber risk concerns. Organizations across multiple sectors face significant financial losses, with recovery costs reaching .73 million in 2024. The FBI and CISA have issued alerts to enhance awareness and proactive measures. Affected: critical infrastructure, healthcare, government, education, technology, manufacturing
Keypoints :
- Surge in ransomware incidents targeting multiple sectors globally.
- Recovery costs from ransomware attacks projected to increase significantly.
- Ghost (Cring) ransomware group exploits known vulnerabilities to gain access.
- Speed is prioritized over persistence in ransomware deployment.
- Ransom notes threaten data sales if demands are unmet but large data exfiltration is rare.
- Defense recommendations include offline backups and timely security patching.
- SOC Prime Platform offers detection rules compatible with various cybersecurity tools.
- Emphasis on collective cyber defense against ransomware threats.
MITRE Techniques :
- T1071.001 (Application Layer Protocol: Web Protocols) – Communication via HTTP/HTTPS with directed IP addresses.
- T1070.001 (Indicator Removal on Host: Clear Windows Event Logs) – Attackers clear Windows Event Logs to hinder detection.
- T1486 (Data Encrypted for Impact) – Use of ransomware executables like Cring.exe for encryption.
- T1106 (Execution via Command-Line Interface) – Use of PowerShell and Command Prompt to execute malicious commands.
- T1203 (Exploitation for Client Execution) – Targeting vulnerabilities in applications such as Adobe ColdFusion and Microsoft Exchange.
Indicator of Compromise :
- [Hash] Cring.exe
- [Hash] Ghost.exe
- [Hash] ElysiumO.exe
- [Hash] Locker.exe
- [Email] Tutanota, ProtonMail, Mailfence (encrypted email services used for communication)
Full Story: https://socprime.com/blog/ghost-cring-ransomware-detection/
Views: 4