US Authorities Issue Warning About Ransomware Group Ghost

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly raised alarms regarding the activities of the ransomware group known as Ghost, which is reportedly operational in over 70 countries.

This warning follows a detailed analysis conducted by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) regarding the group's cybercriminal activities, which commenced in early 2021. Ghost primarily targets internet-accessible services that rely on outdated software or firmware, compromising various establishments globally, including those in China, where the group's members are believed to be based.

Victims of Ghost's attacks span a range of sectors, including critical infrastructure, educational institutions, healthcare facilities, governmental networks, religious organizations, technology firms, manufacturing companies, and numerous small to medium-sized enterprises. The group exhibits a high level of adaptability, frequently altering the executable payloads, modifying file suffixes for encrypted data, and changing ransom messages while utilizing various email addresses for ransom communications. This versatility has led to the use of multiple aliases, including Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.

Despite their agility, members of Ghost have shown a tendency to utilize existing exploit codes rather than developing their own. They have been observed exploiting publicly available vulnerabilities in outdated software on internet servers. Notable security vulnerabilities targeted by Ghost include those in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange, some of which date back over 15 years.

Once they infiltrate vulnerable systems, Ghost typically deploys web shells and establishes Cobalt Strike beacons. Interestingly, the group does not seem to prioritize persistence within the networks they breach, often limiting their time inside to just a few days. However, they have been known to create new local and domain accounts while altering existing passwords. Cobalt Strike is frequently used by the attackers to escalate privileges, alongside various other open-source tools such as SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato.

Using Cobalt Strike, Ghost members are able to list ongoing processes and identify deployed antivirus solutions to disable them, often targeting Microsoft Defender on connected devices. With elevated permissions, they extend their control within the network, utilizing Windows Management Instrumentation Command-Line (WMIC) to execute PowerShell commands on other systems in the victim's network, including commands to install additional Cobalt Strike beacons.

Ghost typically threatens to sell stolen data if the ransom is not paid, although they do not frequently exfiltrate data containing significant information or intellectual property. The FBI has noted limited instances of data being downloaded onto Cobalt Strike team servers, with few reports indicating the use of the hosting service Mega.nz. The average volume of data involved in their operations is less than a few hundred gigabytes.

Control of their operations is primarily conducted through Cobalt Strike beacons and Cobalt Strike team servers. The group rarely takes the effort to register domains for their command and control servers, instead opting to connect directly via IP addresses. For email communications, they commonly rely on services like Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence. When encrypting data within victim networks, Ghost utilizes files such as Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, and they also erase Windows event logs, shadow copies, and disable the volume shadow copy service to hinder data recovery efforts.

In their analysis, US authorities have provided indicators of compromise (IOCs) to assist organizations in determining whether they have fallen victim to the Ghost cyber gang.