Recent Ghost/Cring ransomware activity prompts alert from FBI, CISA

Avatar

A ransomware group known as Ghost has been exploiting vulnerabilities in software and firmware as recently as January, according to an alert issued Wednesday by the FBI and Cybersecurity and Infrastructure Security Agency (CISA).

The group, which is also known as Cring and operates from China, focuses on internet-facing services with unpatched bugs that users could have mitigated years ago, according to the agencies. Cybersecurity researchers first began warning about the group in 2021.

“This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China,” says the alert, released with the Multi-State Information Sharing and Analysis Center (MS-ISAC).

The vulnerabilities include bugs in unpatched Fortinet security appliances; servers running Adobe’s ColdFusion for web applications; and Microsoft Exchange servers still exposed to the ProxyShell attack chain, the alert says.

Since 2021, victims include “critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses,” the alert says. Financial gain is the goal, with ransom demands sometimes reaching hundreds of thousands of dollars. 

“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” the agencies say. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.”

The group uses common hacking tools such as Cobalt Strike and Mimikatz, and the deployed malware often has filenames like Cring.exe, Ghost.exe, ElysiumO.exe and Locker.exe, the alert says.

“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the agencies say. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.”

CybercrimeGovernmentNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. He previously he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Previous Post

Thailand to take in 7,000 rescued from illegal cyber scam hubs in Myanmar

Next Post

DOGE access to Social Security, IRS data could create privacy and security risks, experts say

Related Posts

New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App

Cybersecurity researchers have discovered new artifacts associated with an Apple macOS malware called ZuRu, which is known to propagate via trojanized versions of legitimate software. SentinelOne, in a new report shared with The Hacker News, said the malware has been observed masquerading as the cross‑platform SSH client and server‑management tool Termius in late May 2025. "ZuRu malware
Avatar
Read More

UNC2891 Breaches ATM Network via 4G Raspberry Pi, Tries CAKETAP Rootkit for Fraud

The financially motivated threat actor known as UNC2891 has been observed targeting Automatic Teller Machine (ATM) infrastructure using a 4G-equipped Raspberry Pi as part of a covert attack. The cyber-physical attack involved the adversary leveraging their physical access to install the Raspberry Pi device and have it connected directly to the same network switch as the ATM, effectively placing
Avatar
Read More