Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

CISA and FBI Issue Joint Advisory on Ghost Ransomware Breaches across 70 Countries


CISA and FBI have issued a joint advisory warning of the Ghost ransomware threat, highlighting its impact on over 70 countries and various industries. To defend against this malicious software, network defenders are advised to take specific measures, including regular backups, patching vulnerabilities, and implementing robust security protocols.

  • Ghost ransomware has breached networks in over 70 countries, compromising critical infrastructure, healthcare institutions, government agencies, educational facilities, technological entities, manufacturing firms, and small to medium-sized enterprises.
  • The attackers' primary strategy involved targeting internet-facing services with outdated software and firmware, leaving them vulnerable to exploitation.
  • The attackers frequently rotate their malware executables, change file extensions of encrypted files, alter ransom notes, and use multiple email addresses for communications.
  • The group targets vulnerabilities in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
  • Network defenders are advised to make regular backups, patch vulnerabilities, focus on targeted security flaws, segment networks, and enforce multi-factor authentication.



    • The cybersecurity landscape has recently been confronted with a new, formidable threat: Ghost ransomware. This malicious software has already had a profound impact on numerous organizations worldwide, breaching networks in over 70 countries and compromising critical infrastructure, healthcare institutions, government agencies, educational facilities, technological entities, manufacturing firms, and small to medium-sized enterprises alike.

    According to the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), a pattern of attacks began in early 2021. The attackers' primary strategy involved targeting internet-facing services that employed outdated versions of software and firmware, thereby leaving them vulnerable to exploitation.

    The attackers frequently rotate their malware executables, change the file extensions of encrypted files, alter the contents of their ransom notes, and utilize multiple email addresses for ransom communications, which has led to fluctuating attribution of the group over time. Notable names linked to this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.

    Ransomware samples used in their attacks include Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. The financially motivated ransomware group leverages publicly accessible code to exploit security flaws in vulnerable servers. They specifically target vulnerabilities left unpatched in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

    In an effort to defend against Ghost ransomware attacks, network defenders are advised to take the following measures:

    * Make regular and off-site system backups that can't be encrypted by ransomware
    * Patch operating system, software, and firmware vulnerabilities as soon as possible
    * Focus on security flaws targeted by Ghost ransomware (i.e., CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
    * Segment networks to limit lateral movement from infected devices
    * Enforce phishing-resistant multi-factor authentication (MFA) for all privileged accounts and email services accounts

    In the past, state-backed hacking groups have also exploited similar vulnerabilities to breach U.S. election support systems reachable over the Internet.

    The joint advisory issued by CISA, the FBI, and MS-ISAC today also includes indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods linked to previous Ghost ransomware activity identified during FBI investigations as recently as January 2025.

    This situation highlights the importance of timely software updates, robust security measures, and a vigilant cybersecurity posture. As the threat landscape continues to evolve, it is crucial for organizations to stay informed about emerging threats and take proactive steps to protect themselves against these types of attacks.



    Related Information:

  • https://www.bleepingcomputer.com/news/security/cisa-and-fbi-ghost-ransomware-breached-orgs-in-70-countries/

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a

  • https://nvd.nist.gov/vuln/detail/CVE-2018-13379

  • https://www.cvedetails.com/cve/CVE-2018-13379/

  • https://nvd.nist.gov/vuln/detail/CVE-2010-2861

  • https://www.cvedetails.com/cve/CVE-2010-2861/

  • https://nvd.nist.gov/vuln/detail/CVE-2009-3960

  • https://www.cvedetails.com/cve/CVE-2009-3960/

  • https://nvd.nist.gov/vuln/detail/CVE-2021-34473

  • https://www.cvedetails.com/cve/CVE-2021-34473/

  • https://nvd.nist.gov/vuln/detail/CVE-2021-34523

  • https://www.cvedetails.com/cve/CVE-2021-34523/

  • https://nvd.nist.gov/vuln/detail/CVE-2021-31207

  • https://www.cvedetails.com/cve/CVE-2021-31207/


    • Published: Wed Feb 19 15:43:36 2025 by llama3.2 3B Q4_K_M


         


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us