Recent Ghost/Cring ransomware activity prompts alert from FBI, CISA

Avatar

A ransomware group known as Ghost has been exploiting vulnerabilities in software and firmware as recently as January, according to an alert issued Wednesday by the FBI and Cybersecurity and Infrastructure Security Agency (CISA).

The group, which is also known as Cring and operates from China, focuses on internet-facing services with unpatched bugs that users could have mitigated years ago, according to the agencies. Cybersecurity researchers first began warning about the group in 2021.

“This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China,” says the alert, released with the Multi-State Information Sharing and Analysis Center (MS-ISAC).

The vulnerabilities include bugs in unpatched Fortinet security appliances; servers running Adobe’s ColdFusion for web applications; and Microsoft Exchange servers still exposed to the ProxyShell attack chain, the alert says.

Since 2021, victims include “critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses,” the alert says. Financial gain is the goal, with ransom demands sometimes reaching hundreds of thousands of dollars. 

“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” the agencies say. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.”

The group uses common hacking tools such as Cobalt Strike and Mimikatz, and the deployed malware often has filenames like Cring.exe, Ghost.exe, ElysiumO.exe and Locker.exe, the alert says.

“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the agencies say. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.”

CybercrimeGovernmentNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. He previously he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Previous Post

Hackers Exploit Signal’s Linked Devices Feature to Hijack Accounts via Malicious QR Codes

Next Post

Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability

Related Posts

Lazarus Group Uses React-Based Admin Panel to Control Global Cyber Attacks

The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns. "Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard's
Avatar
Read More

AI-Powered Social Engineering: Reinvented Threats

The foundations for social engineering attacks – manipulating humans – might not have changed much over the years. It’s the vectors – how these techniques are deployed – that are evolving. And like most industries these days, AI is accelerating its evolution.  This article explores how these changes are impacting business, and how cybersecurity leaders can respond. Impersonation attacks:
Avatar
Read More