A ransomware group operating under the Ghost moniker has infiltrated the systems of corporations and government institutions across more than 70 countries. Among the affected sectors are critical infrastructure, healthcare, education, technology firms, manufacturing enterprises, and small businesses. This was disclosed in a joint advisory issued by CISA, the FBI, and MS-ISAC.
Ghost ransomware attacks began in 2021, with hackers exploiting outdated software versions and firmware vulnerabilities to gain unauthorized access to corporate networks. Organizations in the United States, Europe, Asia, and China have been among its victims.
The threat group operates under multiple aliases, including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. In their attacks, they deploy malicious executables such as “Cring.exe,” “Ghost.exe,” “ElysiumO.exe,” and “Locker.exe.” To evade detection, the attackers frequently modify their malware code, alter encrypted file extensions, and adjust the content of ransom notes.
Ghost ransomware operators leverage widely available hacking tools to target vulnerable servers. Their tactics include exploiting known vulnerabilities in Fortinet products (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). Notably, some of their targets have included election-related systems in the United States.
To mitigate the threat posed by Ghost, CISA and the FBI urge organizations to fortify their networks by implementing regular data backups, timely software updates, the isolation of critical systems, and mandatory multi-factor authentication (MFA).
The latest advisory from CISA, the FBI, and MS-ISAC provides indicators of compromise (IOCs), attack tactics, and detection methods identified during investigations through January 2025. Cybersecurity experts emphasize that threat actors continue to exploit legacy systems, underscoring the critical importance of software updates and robust network security controls to prevent further breaches.
