<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=363521274148941&amp;ev=PageView&amp;noscript=1">
Skip to content
Login Contact Us Get Started
Login Contact Us Get Started
Blog

Ghost ransomware infiltrated organizations in 70 countries

CISA and FBI Release Advisory on Ghost (Cring) Ransomware

Brian Rushton-Phillips
February 20, 2025

ADVISORY
 

According to CISA and the FBI, attackers using Ghost ransomware have infiltrated victims across industry sectors in over 70 countries, including critical infrastructure organizations.

Other affected sectors include healthcare, government, education, technology, manufacturing, and numerous small and medium-sized businesses.

 

"Beginning early 2021, Ghost actors began attacking victims whose internet-facing services ran outdated versions of software and firmware," stated CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in a joint advisory.

"This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China".

 

Ghost ransomware operators often change their malware executables, modify the file extensions of encrypted files, alter ransom note contents, and use multiple email addresses for ransom communications, leading to varying attribution of the group over time.

Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture, with ransomware samples used in their attacks such as Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

This financially driven ransomware group exploits publicly available code to exploit vulnerable servers' security flaws. They target unpatched vulnerabilities in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

To protect against Ghost ransomware attacks, implement the following measures:

  • Regularly back up systems off-site to prevent ransomware encryption.

  • Promptly patch operating system, software, and firmware vulnerabilities.

  • Focus on security flaws targeted by Ghost ransomware (above).

  • Segment networks to restrict lateral movement from infected devices.

  • Enforce phishing-resistant multi-factor authentication (MFA) for all privileged and email service accounts.

 

The joint advisory released by CISA, the FBI, and MS-ISAC also features indicators of compromise (IOCs), tactics, techniques, procedures (TTPs), and detection methods associated with past Ghost ransomware activities uncovered in FBI investigations as recently as January 2025.

 

Ready to strengthen your organization's security posture?

 

For more cybersecurity insights, follow Cyderes on LinkedIn and X.

 

Additional Insights