FOCUS MODE
EXTRACT IOC
Threat Research

#StopRansomware: Ghost (Cring) Ransomware

CISA
This joint Cybersecurity Advisory highlights the threat posed by Ghost (Cring) ransomware, detailing its tactics, techniques, and indicators of compromise (IOCs) as observed mainly since early 2021. Ghost actors exploit vulnerabilities in outdated software to target various sectors, resulting in significant impacts worldwide. Affected: critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, small- and medium-sized businesses

Keypoints :

  • Ghost ransomware actors have been compromising networks worldwide since early 2021.
  • Their attacks target organizations using outdated software and exposed services.
  • Ghost actors employ various ransomware payloads and modify their tactics to evade detection.
  • Exploitation of Common Vulnerabilities and Exposures (CVEs) is a common method of initial access.
  • Ransom demands can range significantly, often requiring payment in cryptocurrency.
  • Recommended mitigations include maintaining offline backups and applying timely security updates.
  • Ghost actors leverage Cobalt Strike malware for various stages of the attack, including lateral movement and command and control.
  • Organizations are encouraged to report ransomware incidents and to not engage with threat actors.

MITRE Techniques :

  • Initial Access – Exploit Public-Facing Application (T1190): Gained access by exploiting multiple CVEs in public-facing applications.
  • Execution – Windows Command Shell (T1059.003): Used to download malicious content onto victim servers.
  • Execution – PowerShell (T1059.001): Leveraged for deploying Cobalt Strike.
  • Persistence – Web Shell (T1505.003): Uploaded to servers for sustained access.
  • Privilege Escalation – Exploitation for Privilege Escalation (T1068): Utilized open-source tools to gain higher privileges.
  • Credential Access – OS Credential Dumping (T1003): Collected credentials using Mimikatz and Cobalt Strike’s hashdump.
  • Discovery – Remote System Discovery (T1018): Employed tools like SharpNBTScan for host enumeration.
  • Lateral Movement – Windows Management Instrumentation Command-Line (T1047): Used WMI to execute commands on other devices.
  • Exfiltration – Exfiltration Over C2 Channel (T1041): Limited data exfiltration using web shells and Cobalt Strike.
  • Command and Control – Web Protocols (T1071.001): Relied on HTTP/HTTPS for C2 operations, with minimal domain registrations.
  • Impact – Data Encrypted for Impact (T1486): Encrypted files and directories for ransom using Ghost ransomware variants.

Indicator of Compromise :

  • [MD5] Cring.exe c5d712f82d5d37bb284acd4468ab3533
  • [MD5] Ghost.exe 34b3009590ec2d361f07cac320671410
  • [MD5] ElysiumO.exe 29e44e8994197bdb0c2be6fc5dfc15c2
  • [MD5] Locker.exe ef6a213f59f3fbee2894bd6734bbaed2
  • [Email] asauribe@tutanota.com

Full Story: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a

Tags: CLOUD, IMPACT, DISCOVERY, EMAIL, PASSWORD, CREDENTIAL, WINDOWS, CVE