#StopRansomware: Ghost (Cring)... Note

#StopRansomware: Ghost (Cring) Ransomware

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint advisory to provide information on the Ghost (Cring) ransomware variant. Ghost actors, located in China, have been conducting widespread attacks for financial gain since early 2021, targeting organizations with outdated software and firmware. The group has compromised organizations in over 70 countries, including critical infrastructure, schools, healthcare, government networks, and small- and medium-sized businesses.Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet-facing servers. They rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, making attribution challenging. The group uses various tools, including Cobalt Strike, to exploit vulnerabilities, gain access, and move laterally within victim networks.The advisory provides technical details on the tactics, techniques, and procedures (TTPs) used by Ghost actors, including initial access, execution, persistence, privilege escalation, credential access, defense evasion, discovery, lateral movement, exfiltration, and command and control. The group relies heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control operations.The impact of Ghost ransomware activity varies widely on a victim-to-victim basis, with the group typically demanding tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software. The advisory encourages organizations to implement recommendations to reduce the likelihood and impact of Ghost ransomware incidents.