A ransomware group known as Ghost has been actively exploiting vulnerabilities in software and firmware since January, according to an alert issued by the FBI and Cybersecurity and Infrastructure Security Agency (CISA). The group, also known as Cring, operates from China and targets internet-facing services with unpatched bugs that users could have mitigated years ago.
The alert highlights several vulnerabilities, including those in unpatched Fortinet security appliances, Adobe’s ColdFusion for web applications, and Microsoft Exchange servers still exposed to the ProxyShell attack chain. These vulnerabilities have led to the compromise of organizations across more than 70 countries, including China.
Since 2021, victims include critical infrastructure, schools, universities, healthcare, government networks, religious institutions, technology and manufacturing companies, as well as numerous small- and medium-sized businesses. Financial gain is the primary goal, with ransom demands sometimes reaching hundreds of thousands of dollars.
Ghost actors typically spend only a few days on victim networks before moving on to other targets, often using common hacking tools like Cobalt Strike and Mimikatz. The deployed malware often has filenames like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
The impact of Ghost ransomware activity varies widely depending on the individual victim, with some experiencing significant disruptions while others are less affected.
Source: https://therecord.media/ghost-cring-ransomware-activity-fbi-cisa-alert