The CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory warning of widespread Ghost ransomware attacks targeting and compromising organizations in more than 70 countries with outdated versions of software and firmware on their internet facing services:
Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.
Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.
The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented:
“The joint release has a few new surprises. One is that the ransomware groups move from initial compromise to deployment of ransomware very quickly, often on the same day. This is quite different from traditional ransomware groups that may have days, weeks, or even months from the initial access gained to the deployment of the ransomware. Second, the frequent use of Cobalt Strike. I see the use of Cobalt Strike by ransomware groups fairly common. If you’re not looking for and detecting Cobalt Strike instances, you’re just asking for trouble. Last, unpatched software and firmware (and zero-days) are involved in at least a third of successful compromises. Every organization has a patching process, but most don’t get it perfect and if one-third of all successful compromises involved finding and exploiting vulnerable software and firmware, it really should be a primary focus for all organizations. You can’t just make it one of the many things you do out of hundreds of things you do. It has to be something you focus on and dedicate significant resources to (as you also need to do to mitigate social engineering). Because if you don’t, you’ll miss something and become the next ransomware victim.”
I would recommend that anyone that is responsible for securing their organizations from cyberattacks take a look at the mitigation section of this advisory as this is pretty serious.
Related
This entry was posted on February 20, 2025 at 8:21 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
CISA /FBI Warn of Ghost Ransomware Attacks in Over 70 Countries
The CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory warning of widespread Ghost ransomware attacks targeting and compromising organizations in more than 70 countries with outdated versions of software and firmware on their internet facing services:
Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.
Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.
The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented:
“The joint release has a few new surprises. One is that the ransomware groups move from initial compromise to deployment of ransomware very quickly, often on the same day. This is quite different from traditional ransomware groups that may have days, weeks, or even months from the initial access gained to the deployment of the ransomware. Second, the frequent use of Cobalt Strike. I see the use of Cobalt Strike by ransomware groups fairly common. If you’re not looking for and detecting Cobalt Strike instances, you’re just asking for trouble. Last, unpatched software and firmware (and zero-days) are involved in at least a third of successful compromises. Every organization has a patching process, but most don’t get it perfect and if one-third of all successful compromises involved finding and exploiting vulnerable software and firmware, it really should be a primary focus for all organizations. You can’t just make it one of the many things you do out of hundreds of things you do. It has to be something you focus on and dedicate significant resources to (as you also need to do to mitigate social engineering). Because if you don’t, you’ll miss something and become the next ransomware victim.”
I would recommend that anyone that is responsible for securing their organizations from cyberattacks take a look at the mitigation section of this advisory as this is pretty serious.
Share this:
Like this:
Related
This entry was posted on February 20, 2025 at 8:21 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.