The China-backed Ghost ransomware group has been wreaking havoc across the globe, infecting systems in over 70 countries since 2021. The group’s swift and efficient attacks have left organizations scrambling to patch vulnerabilities and protect themselves from financial loss.
According to the Cybersecurity and Infrastructure Security Agency (CISA), Ghost actors typically spend only a few days on victim networks before deploying ransomware, which is atypical of traditional ransomware groups that may take weeks or months to deploy their malware. The group’s attack strategy involves targeting vulnerable internet-facing systems, including known flaws in Fortinet FortiOS appliances, Adobe ColdFusion, and Microsoft SharePoint.
Ghost’s tactics include rotating ransomware executable payloads, switching file extensions for encrypted files, modifying ransom note text, and using numerous ransom email addresses. This makes it challenging for defenders to attribute the group’s activities over time.
CISA has issued an advisory warning organizations with outdated software and firmware versions to patch their systems immediately. The agency also recommends scanning environments for Cobalt Strike instances, a tool frequently used by threat actors in attacks.
The advisory highlights the impact of Ghost ransomware activity, which varies widely on a victim-to-victim basis. The group demands anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for its decryption software. However, CISA found that Ghost actors do not always provide decryption tools, leaving victims with no other option but to pay the ransom.
To mitigate attacks, organizations should prioritize patching systems with known vulnerabilities early and often. They should also scan their environments for Cobalt Strike instances and use the comprehensive list of indicators of compromise (IoCs) provided by CISA to identify potential threats.
The incident serves as a reminder that unpatched software and firmware are a primary focus for all organizations, and that timely patching can help prevent successful ransomware attacks.
Source: https://www.darkreading.com/cyberattacks-data-breaches/ghost-ransomware-targets-orgs-70-countries