CISA's #StopRansomware Advisory Warns of Ghost Ransomware Attacks in Over 70 Countries

The Ghost ransomware group, also known as Cring, has been actively compromising organizations across more than 70 countries, including China, since early 2021, with its most recent activity observed in January 2025. Featured in CISA's latest #StopRansomware advisory, this financially motivated ransomware group is described as being "indiscriminate" in its targeting, favoring small- and medium-sized businesses. Compromised industries have included critical infrastructure, education, healthcare, government networks, technology, and manufacturing. Ghost actors exploit publicly known vulnerabilities in outdated internet-facing services to gain access to target environments. Their operations rely on exploiting vulnerabilities, even those spanning over a decade, including CVE-2009-3960 (Adobe ColdFusion), CVE-2019-0604 (Microsoft SharePoint), and multiple Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), among others.

Ghost actors gain initial access by exploiting public-facing applications associated with multiple CVEs, including vulnerabilities in Fortinet FortiOS, Microsoft SharePoint, and Microsoft Exchange. After gaining access to the network, they deploy web shells and use built-in Windows utilities, such as Command Prompt and PowerShell, to execute malicious commands. A primary objective is the deployment of Cobalt Strike for command and control (C2) operations. Cobalt Strike is heavily utilized by Ghost actors, as its use is leveraged in various MITRE tactic stages, including privilege escalation, credential access, defense evasion, discovery, and lateral movement. Persistence mechanisms have only occasionally been observed, including the creation of new local and domain accounts or the modification of existing account passwords. Ghost actors prefer short dwell times, opting not to linger in the targeted network. As CISA notes, they "only spend a few days on victim networks," preferring to progress "from initial compromise to the deployment of ransomware within the same day."

Privilege escalation is achieved through Cobalt Strike’s built-in token theft functions, as well as open-source tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato. To fulfill credential theft objectives, the attackers frequently use Mimikatz and Cobalt Strike’s hashdump functionality to extract passwords and authentication hashes. To evade detection, Ghost actors disable security monitoring tools, particularly Windows Defender, using commands such as "Set-MpPreference" to disable real-time protection, behavioral monitoring, and script scanning. By reviewing running processes, the threat actors assess software running on the host. They further evaluate the network by running discovery commands, including net group "Domain Admins" /domain, to obtain a list of domain administrator accounts. Their approach to lateral movement involves using Windows Management Instrumentation Command-Line (WMIC) and encoded PowerShell commands to deploy Cobalt Strike beacons on additional hosts. However, "in cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim," reports the government agency.

Unlike some ransomware groups that focus heavily on exfiltrating sensitive data, Ghost actors do not prioritize large-scale data theft. According to CISA, "Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked." The typical data exfiltration is often limited to "less than hundreds of gigabytes of data." Ransomware gangs can choose to forgo data exfiltration to accelerate their attack timeline. Their primary focus remains encryption and extortion, structuring operations to maximize financial leverage. To hinder forensic investigations and recovery efforts, they clear Windows Event Logs, disable the Volume Shadow Copy Service, and delete shadow copies to prevent the restoration of encrypted files. Their ransomware payloads, including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, encrypt targeted directories or entire storage systems, often demanding ransoms ranging from tens to hundreds of thousands of dollars in cryptocurrency. Despite their capabilities, Ghost actors can be deterred, often shifting to alternative targets when faced with hardened environments or strong security controls that disrupt their attack chain. This underscores the importance of robust security measures, as properly segmented and well-secured environments create obstacles that force Ghost actors to abandon their intrusion attempts.