Recent Ghost/Cring ransomware activity prompts alert from FBI, CISA

Avatar

A ransomware group known as Ghost has been exploiting vulnerabilities in software and firmware as recently as January, according to an alert issued Wednesday by the FBI and Cybersecurity and Infrastructure Security Agency (CISA).

The group, which is also known as Cring and operates from China, focuses on internet-facing services with unpatched bugs that users could have mitigated years ago, according to the agencies. Cybersecurity researchers first began warning about the group in 2021.

“This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China,” says the alert, released with the Multi-State Information Sharing and Analysis Center (MS-ISAC).

The vulnerabilities include bugs in unpatched Fortinet security appliances; servers running Adobe’s ColdFusion for web applications; and Microsoft Exchange servers still exposed to the ProxyShell attack chain, the alert says.

Since 2021, victims include “critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses,” the alert says. Financial gain is the goal, with ransom demands sometimes reaching hundreds of thousands of dollars. 

“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” the agencies say. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.”

The group uses common hacking tools such as Cobalt Strike and Mimikatz, and the deployed malware often has filenames like Cring.exe, Ghost.exe, ElysiumO.exe and Locker.exe, the alert says.

“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the agencies say. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.”

CybercrimeGovernmentNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. He previously he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Previous Post

Thailand to take in 7,000 rescued from illegal cyber scam hubs in Myanmar

Next Post

DOGE access to Social Security, IRS data could create privacy and security risks, experts say

Related Posts

Europol Arrests Five SmokeLoader Clients Linked by Seized Database Evidence

Law enforcement authorities have announced that they tracked down the customers of the SmokeLoader malware and detained at least five individuals. "In a coordinated series of actions, customers of the Smokeloader pay-per-install botnet, operated by the actor known as 'Superstar,' faced consequences such as arrests, house searches, arrest warrants or 'knock and talks,'" Europol said in a
Avatar
Read More

Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws

A likely lone wolf actor behind the EncryptHub persona was acknowledged by Microsoft for discovering and reporting two security flaws in Windows last month, painting a picture of a "conflicted" individual straddling a legitimate career in cybersecurity and pursuing cybercrime. In a new extensive analysis published by Outpost24 KrakenLabs, the Swedish security company unmasked the up-and-coming
Avatar
Read More