Ghost (a group of attackers originating in China) have just recently launched a version of ransomware that poses a serious threat to organizations in more than 70 countries. This dangerous strain targets healthcare facilities, government agencies, educational institutions and manufacturing plants.

These attacks happen at an alarming speed, often within 24 hours. The FBI and CISA have spotted multiple CVE attacks from these threat actors. Their ransom demands can reach anywhere from tens to hundreds of thousands of dollars in cryptocurrency.

Let's get into why security experts sound the alarm about this threat. We'll look at how these attacks happen, and what organizations can do to defend against this growing danger.

Understanding Ghost Ransomware's Rapid Rise

"Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses." — Cybersecurity and Infrastructure Security Agency, U.S. federal agency responsible for cybersecurity

The Ghost ransomware group operates from China and has grown into a sophisticated threat actor that adapts quickly. Over time, the group has used several different names:

• Cring
• Crypt3r
• Phantom
• Strike
• Hello
• Wickrme
• HsHarada
• Rapture

Ghost's attack methodology makes them a serious threat. They don't waste time on victim networks and can deploy ransomware on the same day they first compromise a system.

Ghost's approach to data theft stands out from other groups. Their ransom notes threaten to sell stolen data, but they rarely take large amounts of sensitive information. The stolen data usually stays under hundreds of gigabytes. This suggests they use threats of data exposure more as a scare tactic than an actual plan.

The group's arsenal has several ransomware variants, including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. These programs work similarly - they can encrypt specific directories, or all system storage. The data becomes locked until someone provides the decryption key.

How Ghost Ransomware Attacks Work

Ghost operators begin by looking for vulnerable, internet-facing services that run outdated software and firmware. These might include:

• Fortinet FortiOS appliances (CVE-2018-13379)
• Adobe ColdFusion servers (CVE-2010-2861, CVE-2009-3960)
• Microsoft SharePoint (CVE-2019-0604)
• Microsoft Exchange ProxyShell vulnerabilities

Once they gain access, the group uploads web shells to the compromised servers. They then execute Cobalt Strike Beacon — a tool designed to simulate an attack but, in this case, actually leveraging an attack — through Windows Command Prompt or PowerShell. The attackers boost their privileges with several open-source tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato.

The group's technical expertise shows in their methodical approach to disabling security measures. They use Cobalt Strike's built-in functions to check running processes, spot antivirus software (like Windows Defender), and turn them off.

The Ghost operators (can we just call them Ghosts? Is everyone okay with that?) move laterally through networks using Windows Management Instrumentation Command-Line (WMIC) to run PowerShell commands. They find network shares with SharpShares and detect remote systems using Ladon 911.

Once they have lateral movement, they can then encrypt whichever files they like. Interestingly, however, the Ghosts have been observed quickly abandoning their attack if they are unable to achieve lateral movement. As we noted, their attacks are quick, and so are their withdrawals. They are clearly looking to avoid detection by minimizing their attack times.

Critical Vulnerabilities Being Exploited

These Ghosts are exploiting several critical vulnerabilities, as we’ve noted already. The CVEs they’re exploiting affect popular enterprise software and systems, and some of these weaknesses go back to 2009.

The systems that attackers target most often are:

• Fortinet FortiOS SSL VPN (CVE-2018-13379) with a critical CVSS score of 9.8
• Adobe ColdFusion servers (CVE-2010-2861, CVE-2009-3960) with CVSS scores of 9.8 and 6.5 respectively
• Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) with CVSS scores ranging from 6.6 to 9.1
• Microsoft SharePoint (CVE-2019-0604) with a critical CVSS score of 9.8

These vulnerabilities continue to exist even after multiple security warnings. To name just one example, Fortinet warned users several times between 2019 and 2021 about the SSL VPN vulnerability. Notwithstanding that, many organizations remain at risk because they delay security updates or misconfigure their systems.

Remediation

While we probably don’t have to really say much here, the obvious first step is to perform backups on your data. Though the debate as to whether or not to pay ransomware is still going in in the cybersecurity sphere (the FBI says don’t!), the real truth of the matter is that a backup of your data renders their ransom virtually null. Also, make sure your backups are stored separately from your network, preferably on a drive that is disconnected from the internet altogether.

Second, patch your system. Ghost’s methods don’t utilize phishing emails or social engineering. Rather, they use open-source tools to exploit known CVEs...CVEs that have been fixed if you patch your system. So make a plan to secure these areas, and execute that plan.

Third, segment your network. We’ve seen that their primary step, once they’ve gained access, is to move laterally through the system as they seek out data to encrypt. Should they fail to move laterally - again, in a relatively short time - they abandon. Segmenting your network and creating layers of defense (like using MFA) can help encourage them to give up.

Conclusion

Ghost ransomware ranks among today's most important cybersecurity threats to organizations. Security experts worry about the group's quick attack methods that complete operations within 24 hours of original access. Their attacks have compromised systems in over 70 countries and targeted critical infrastructure, which shows their advanced capabilities and widespread effects.

Systems with outdated software and firmware face the highest risk. This is especially true for organizations that use vulnerable Fortinet FortiOS appliances, Adobe ColdFusion servers, and Microsoft systems. Ghost's ransom demands usually range from tens to hundreds of thousands of dollars. The real cost of these attacks goes way beyond just the money lost.

Your defense against Ghost ransomware needs quick action. Regular security updates, reliable backup systems, and complete network monitoring are your key defensive tools. These security measures need your immediate attention because Ghost operators keep changing their tactics and growing their reach.

Note that Ghost's success comes from exploiting vulnerabilities that could have been fixed years ago. The quickest way to fight this growing threat is to keep software versions current and use proper security protocols.

FAQs

Q1. What makes Ghost ransomware particularly dangerous? Ghost ransomware is considered highly dangerous due to its rapid attack methodology, often completing operations within 24 hours of initial access. It has compromised organizations in over 70 countries, targeting critical infrastructure sectors and exploiting outdated software vulnerabilities.

Q2. How do Ghost ransomware attacks typically unfold? Ghost ransomware attacks begin by scanning for vulnerable internet-facing services. Once access is gained, attackers upload web shells, execute malware, and use various tools for privilege escalation and lateral movement. They then deploy ransomware to encrypt specific directories or entire system storage.

Q3. What are the primary vulnerabilities exploited by Ghost ransomware? Ghost ransomware primarily targets vulnerabilities in Fortinet FortiOS SSL VPN, Adobe ColdFusion servers, Microsoft Exchange ProxyShell, and Microsoft SharePoint. Many of these vulnerabilities have critical CVSS scores and could have been mitigated through proper patching.

Q4. How much do Ghost ransomware operators typically demand in ransom? Ransom demands from Ghost ransomware operators usually range from tens to hundreds of thousands of dollars in cryptocurrency. However, the total cost of an attack can be much higher when considering operational disruptions and recovery efforts.

Q5. What can organizations do to protect themselves against Ghost ransomware? To protect against Ghost ransomware, organizations should prioritize regular security updates, implement robust backup systems, and maintain comprehensive network monitoring. Keeping software and firmware up-to-date is crucial, as many successful attacks exploit known vulnerabilities that could have been patched years ago.