The Ghost ransomware group, also known as Cring, has been actively exploiting unpatched vulnerabilities in software and firmware since at least January 2025. Operating out of China, they have targeted various sectors across over 70 countries, emphasizing the critical need for organizations to implement robust cybersecurity measures. Affected: Critical infrastructure, healthcare facilities, educational institutions, government networks, religious organizations, technology firms, manufacturing companies, small- to medium-sized businesses.
Keypoints :
- Ghost ransomware has been active since 2021 and continues to target organizations worldwide.
- They exploit vulnerabilities in software like Fortinet, Adobe ColdFusion, and Microsoft Exchange.
- Targets include critical infrastructure and various sectors, including healthcare and education.
- Ghost actors rely on publicly available code to exploit known vulnerabilities.
- Ransom demands can reach hundreds of thousands of dollars but may be abandoned against strong defenses.
- Suggested mitigations include regular system backups, patching vulnerabilities, and enforcing multi-factor authentication.
- Monitoring network activity and enhancing email security are crucial to combat Ghost ransomware.
MITRE Techniques :
- Exploitation of Vulnerability (T1203) – Utilizing common vulnerabilities such as CVE-2018-13379 for Fortinet and CVE-2021-34473 in Microsoft Exchange.
- Credential Dumping (T1003) – Using tools like SharpZeroLogon to impersonate users and escalate privileges.
- Command and Control – Deploying Cobalt Strike Beacon malware to maintain presence in victim networks.
- Data Encrypted for Impact (T1486) – Encrypting data to demand ransom payments from victims.
Indicator of Compromise :
- [CVE] CVE-2018-13379
- [CVE] CVE-2010-2861
- [CVE] CVE-2009-3960
- [CVE] CVE-2021-34473
- [CVE] CVE-2021-34523
Full Story: https://thecyberexpress.com/ghost-ransomware-attacks/
Views: 10