Recent findings by cybersecurity authorities reveal that the Ghost ransomware has infiltrated organizations across more than 70 countries, affecting a wide range of sectors including critical infrastructure, healthcare, government, and technology. This widespread cyber threat has been active since early 2021, exploiting outdated software and firmware vulnerabilities.

Widespread Sector Impact

The Ghost ransomware has not only targeted critical infrastructure but has also impacted industries such as healthcare, education, manufacturing, and numerous small to medium-sized enterprises. This broad targeting strategy has allowed the ransomware to compromise networks globally, including those in China.

Technical Characteristics of Ghost Ransomware

Ghost ransomware operators are known for frequently changing their malware executables, file extensions, and ransom note contents. They also use multiple email addresses for ransom negotiations, complicating attribution efforts. The group is associated with various names, including Ghost, Cring, Crypt3r, and Phantom, and has used ransomware samples like Cring.exe and Ghost.exe in their attacks.

  • Exploitation Methods: The group exploits vulnerabilities in unpatched systems, particularly in Fortinet, ColdFusion, and Exchange servers.
  • Vulnerabilities Targeted: Key vulnerabilities include CVE-2018-13379, CVE-2010-2861, and CVE-2021-34473.

Defense Strategies Against Ghost Ransomware

To mitigate the threat posed by Ghost ransomware, cybersecurity experts recommend several defensive measures. These include regular and off-site system backups, prompt patching of operating systems and software, and network segmentation to prevent lateral movement of malware.

  • Regular Backups: Ensure backups are stored offline and cannot be encrypted by ransomware.
  • Patch Management: Address vulnerabilities promptly, focusing on those exploited by Ghost ransomware.
  • Network Segmentation: Limit the spread of ransomware by segmenting networks.
  • Multi-Factor Authentication: Implement phishing-resistant MFA for all privileged accounts.

Historical Context and Ongoing Threats

The Ghost ransomware was first identified by Amigo_A and the Swisscom CSIRT team in early 2021. The attackers used custom Mimikatz samples and CobaltStrike beacons to deploy ransomware payloads. They also exploited the CVE-2018-13379 vulnerability in Fortinet SSL VPN appliances, which has been a target for state-backed hacking groups as well.

Despite multiple warnings from Fortinet to patch this vulnerability, it has been repeatedly exploited, even affecting U.S. election support systems. The joint advisory from CISA, the FBI, and MS-ISAC provides indicators of compromise and detection methods to help organizations defend against these threats.

The link has been copied!