CISA has issued a warning over the threat posed by the Ghost ransomware gang, which has been targeting vulnerable internet-facing services around the world for at least four years.
The agency released an advisory highlighting the group’s TTPs that were discovered through FBI investigations as recently as January 2025.
It stated that since early 2021, the group has been attacking entities whose internet-facing services were running outdated software and firmware. Since then it has been responsible for compromising organizations in across more than 70 countries.
“Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses,” the advisory warned.
The group is believed to be based in China, but CISA noted that because the group deploys a broad range of TTPs, this has led to varying attribution of its attacks.
Notably, among the 70 countries in which the group launched its attacks it has been recorded targeting countries in China as well.
The security agency said the group frequently rotates its ransomware payloads, file extensions for encrypted files, ransom email addresses, and the text in its ransom notes.
This diverse range of tactics has led to a wide number of names being attached to the group including, Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
Some of these names come from the names of the ransomware files deployed by the group, such as Cring.exe and Ghost.exe.
The Ghost ransomware group is highly effective
The FBI observed the group exploiting a series of CVEs in public-facing applications to gain initial access on their target’s networks.
Ghost threat actors have been tracked targeting a FortiOS path traversal flaw (CVE-2018-13379), two vulnerabilities in Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960, and a weakness in Microsoft Sharepoint (CVE-2019-0604).
The threat group was also observed exploiting a series of flaws affecting Microsoft Exchange, commonly known as the ProxyShell attack chain (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Once inside, they are typically found to upload a web shell to a compromised server and download Cobalt Strike Beacon malware that can be used in a number of different ways such as command execution, key logging, file transfer, privilege escalation, defense evasion, and lateral movement.
For example, the group has often used the Cobalt Strike functions to steal process tokens to impersonate the SYSTEM user in order to re-run the Beacon with escalated privileges.
CISA noted that the Ghost outfit is not particularly focused on persistence and usually only remains on the network for a few days – often moving from initial access to dropping their ransomware within the same day.
RELATED WHITEPAPER
The advisory includes all the group’s IOCs, TTPS, ransom email addresses, ransom note, as well as a list of mitigation steps businesses can take to avoid compromise.
These include maintaining regular system backups, patching known vulnerabilities in internet-facing appliances, network segmentation to restrict lateral movement, monitoring for unauthorized PowerShell use, and disabling unused ports to limit the exposure of services.
MORE FROM ITPRO
- The ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry
- The new ransomware groups worrying security researchers in 2025
- Why ‘malware as a service’ is becoming a serious problem
-
Jensen Huang says AI will make us busier – so what’s the point?Opinion So much for efficiency gains and focusing on the more “rewarding” aspects of your job
-
This DeepSeek-powered pen testing tool could be a Cobalt Strike successorNews ‘Villager’, a tool developed by a China-based red team project known as Cyberspike, is being used to automate attacks under the guise of penetration testing.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
