In a joint advisory the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that cybercriminals deploying Ghost ransomware have successfully breached organizations across multiple sectors worldwide, including critical infrastructure. Victims have been reported in over 70 countries, with substantial impact on industries such as healthcare, government, education, technology, manufacturing, and small to medium-sized businesses.
The attacks, which began in early 2021, exploit vulnerabilities in outdated software and firmware used by organizations with internet-facing services. Ghost ransomware operators often target these systems, leveraging publicly available code to exploit known security flaws, a tactic that has resulted in the compromise of organizations globally, including entities in China.
Ghost ransomware group has operated under several names, including Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture, with various versions of malware, such as Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, used in their attacks.
Ghost ransomware attackers have primarily focused on exploiting security flaws in widely used software and services. The group has frequently targeted vulnerabilities in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) products.
CISA, the FBI, and MS-ISAC advise that organizations take proactive steps to defend against these attacks by addressing the vulnerabilities targeted by Ghost ransomware and implementing the following protective measures:
-
Maintain regular system backups stored separately from the source systems which cannot be altered or encrypted by potentially compromised network devices.
-
Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe.
-
Common Vulnerabilities and Exposures (CVE): CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.
-
Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization.
-
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.