CISA has issued a warning over the threat posed by the Ghost ransomware gang, which has been targeting vulnerable internet-facing services around the world for at least four years.
The agency released an advisory highlighting the group’s TTPs that were discovered through FBI investigations as recently as January 2025.
It stated that since early 2021, the group has been attacking entities whose internet-facing services were running outdated software and firmware. Since then it has been responsible for compromising organizations in across more than 70 countries.
“Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses,” the advisory warned.
The group is believed to be based in China, but CISA noted that because the group deploys a broad range of TTPs, this has led to varying attribution of its attacks.
Notably, among the 70 countries in which the group launched its attacks it has been recorded targeting countries in China as well.
The security agency said the group frequently rotates its ransomware payloads, file extensions for encrypted files, ransom email addresses, and the text in its ransom notes.
This diverse range of tactics has led to a wide number of names being attached to the group including, Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
Some of these names come from the names of the ransomware files deployed by the group, such as Cring.exe and Ghost.exe.
The Ghost ransomware group is highly effective
The FBI observed the group exploiting a series of CVEs in public-facing applications to gain initial access on their target’s networks.
Ghost threat actors have been tracked targeting a FortiOS path traversal flaw (CVE-2018-13379), two vulnerabilities in Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960, and a weakness in Microsoft Sharepoint (CVE-2019-0604).
The threat group was also observed exploiting a series of flaws affecting Microsoft Exchange, commonly known as the ProxyShell attack chain (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Once inside, they are typically found to upload a web shell to a compromised server and download Cobalt Strike Beacon malware that can be used in a number of different ways such as command execution, key logging, file transfer, privilege escalation, defense evasion, and lateral movement.
For example, the group has often used the Cobalt Strike functions to steal process tokens to impersonate the SYSTEM user in order to re-run the Beacon with escalated privileges.
CISA noted that the Ghost outfit is not particularly focused on persistence and usually only remains on the network for a few days – often moving from initial access to dropping their ransomware within the same day.
RELATED WHITEPAPER
The advisory includes all the group’s IOCs, TTPS, ransom email addresses, ransom note, as well as a list of mitigation steps businesses can take to avoid compromise.
These include maintaining regular system backups, patching known vulnerabilities in internet-facing appliances, network segmentation to restrict lateral movement, monitoring for unauthorized PowerShell use, and disabling unused ports to limit the exposure of services.
MORE FROM ITPRO
- The ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry
- The new ransomware groups worrying security researchers in 2025
- Why ‘malware as a service’ is becoming a serious problem
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
Global PC shipments surge in Q3 2025, fueled by AI and Windows 10 refresh cyclesNews The scramble ahead of the Windows 10 end of life date prompted a spike in sales
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber professionals are losing sleep over late night attacksNews Hackers are biding their time and launching attacks when businesses can’t respond
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
