Warning issued over prolific 'Ghost' ransomware group
The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
CISA has issued a warning over the threat posed by the Ghost ransomware gang, which has been targeting vulnerable internet-facing services around the world for at least four years.
The agency released an advisory highlighting the group’s TTPs that were discovered through FBI investigations as recently as January 2025.
It stated that since early 2021, the group has been attacking entities whose internet-facing services were running outdated software and firmware. Since then it has been responsible for compromising organizations in across more than 70 countries.
“Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses,” the advisory warned.
The group is believed to be based in China, but CISA noted that because the group deploys a broad range of TTPs, this has led to varying attribution of its attacks.
Notably, among the 70 countries in which the group launched its attacks it has been recorded targeting countries in China as well.
The security agency said the group frequently rotates its ransomware payloads, file extensions for encrypted files, ransom email addresses, and the text in its ransom notes.
This diverse range of tactics has led to a wide number of names being attached to the group including, Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
Some of these names come from the names of the ransomware files deployed by the group, such as Cring.exe and Ghost.exe.
The Ghost ransomware group is highly effective
The FBI observed the group exploiting a series of CVEs in public-facing applications to gain initial access on their target’s networks.
Ghost threat actors have been tracked targeting a FortiOS path traversal flaw (CVE-2018-13379), two vulnerabilities in Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960, and a weakness in Microsoft Sharepoint (CVE-2019-0604).
The threat group was also observed exploiting a series of flaws affecting Microsoft Exchange, commonly known as the ProxyShell attack chain (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Once inside, they are typically found to upload a web shell to a compromised server and download Cobalt Strike Beacon malware that can be used in a number of different ways such as command execution, key logging, file transfer, privilege escalation, defense evasion, and lateral movement.
For example, the group has often used the Cobalt Strike functions to steal process tokens to impersonate the SYSTEM user in order to re-run the Beacon with escalated privileges.
CISA noted that the Ghost outfit is not particularly focused on persistence and usually only remains on the network for a few days – often moving from initial access to dropping their ransomware within the same day.
RELATED WHITEPAPER
The advisory includes all the group’s IOCs, TTPS, ransom email addresses, ransom note, as well as a list of mitigation steps businesses can take to avoid compromise.
These include maintaining regular system backups, patching known vulnerabilities in internet-facing appliances, network segmentation to restrict lateral movement, monitoring for unauthorized PowerShell use, and disabling unused ports to limit the exposure of services.
MORE FROM ITPRO
- The ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry
- The new ransomware groups worrying security researchers in 2025
- Why ‘malware as a service’ is becoming a serious problem
-
Why patching velocity matters as Claude Mythos supercharges vulnerability discoveryFrontier AI models such as Claude Mythos and GPT-5.5 make patching more urgent than ever. How can firms increase the velocity at which they apply fixes and mitigations?
-
The UK is running on fumes as data center build-outs can’t keep pace with demandNews The country's vacancy rate has dropped sharply, with much of the pipeline early-stage and uncertain
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recovery
News Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
