CISA and FBI: China-Linked Ghost Ransomware Targets Known Flaws

Several U.S. government agencies this week released a security advisory disseminating known Indicators of Compromise (IoCs) and exposing common techniques linked to the Ghost ransomware group.

Key Details: 

• The threat actors behind the Ghost ransomware group (located in China) have been indiscriminately targeting victims since 2021, especially those with outdated, internet-facing services

• As of January 2025, the group has compromised entities in more than 70 countries, including organizations in China, making it a global threat

• The financially motivated attacks have targeted victims across many sectors, including critical infrastructure, higher education, healthcare, government, religious institutions, technology and manufacturing companies. A number of small- and medium-sized businesses have also been impacted

The Big Picture: According to the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), Ghost ransomware actors typically use publicly available code to exploit well-known vulnerabilities and target networks where patches haven’t been applied. Previously, the group has leveraged flaws in Fortinet FortiOS (CVE-2018-13379), Adobe ColdFusion (CVE 2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604) and the ProxyShell attack chain for Microsoft Exchange (CVE 2021-34473, CVE-2021-34523, and CVE-2021-31207).

While the group doesn’t focus on persistence (instead only spending a few days on victim networks), Ghost actors have been observed using various tools for credential access, privilege escalation and defense evasion (including Mimikatz for password collection and Cobalt Strike for several functionalities).

The Big Picture: The U.S. government pointed out two other interesting aspects of the Ghost ransomware. While Ghost ransom notes claim that exfiltrated data will be sold if victims don’t pay a ransom, the FBI said that Ghost actors actually do not frequently exfiltrate a significant amount of information (with sensitive data like PII) that would cause significant harm to victims if leaked. 

“The FBI has observed limited downloading of data to Cobalt Strike Team Servers,” according to the advisory. 

Ghost actors also utilize various methods in their attacks, throwing a wrench into attribution. The actors “rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses…names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture,” said the advisory. “Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.”

Why It Matters: The U.S. government’s advisory highlights some common tactics and IoCs linked to the Ghost ransomware. The advisory said that organizations should maintain regular system backups and patch known vulnerabilities to protect against these types of attacks, and also listed a number of other mitigations as well (segmenting networks, requiring multi-factor authentication, training users to recognize phishing attempts and more).