The FBI, CISA, and MS-ISAC have issued a joint cybersecurity advisory warning organizations about Ghost (Cring) ransomware, a sophisticated cyber threat that has been compromising critical infrastructure, businesses, and government entities worldwide. The advisory, part of the #StopRansomware campaign, outlines the attack methods, technical details, and mitigation strategies needed to defend against this persistent ransomware strain.
Ghost ransomware actors, identified as operating from China, have been targeting unpatched systems and stolen credentials to infiltrate networks, encrypt data, and demand ransom payments. Experts warn that organizations must act decisively to protect against this growing threat by implementing Zero Trust architectures, patching vulnerabilities, and strengthening identity security.
Key findings from the advisory
The advisory highlights the rapid and efficient attack lifecycle of Ghost ransomware, with some incidents seeing full encryption within a single day. Attackers exploit public-facing applications by targeting known vulnerabilities, including:
-
Fortinet FortiOS (CVE-2018-13379)
-
Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960)
-
Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
-
Microsoft SharePoint (CVE-2019-0604)
Once inside, Ghost actors deploy Cobalt Strike Beacon malware, steal credentials, disable defenses, and spread ransomware laterally across the network. Their ransom demands range from tens to hundreds of thousands of dollars, often leveraging encrypted email services like ProtonMail, Tutanota, and Skiff for communication.
Persistent exploitation of legacy systems
One of the most alarming aspects of Ghost ransomware is its focus on legacy IoT and OT environments. Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, explains:
"Attacks on legacy cyber-physical, IoT, and IIoT devices—particularly in an OT environment—are to be expected and must be planned for as part of the operational requirements for the device. Even the most secure device from a decade ago is likely quite vulnerable to a modern-day attack. Organizations must work closely with their suppliers to ensure a long-term operations and risk mitigation plan."
This underscores the urgent need for patching, segmentation, and supplier collaboration to secure long lifecycle devices in industrial settings.
The role of identity security in ransomware defense
Credential theft remains a primary attack vector for Ghost ransomware. Darren Guccione, CEO of Keeper Security, warns: "The Ghost ransomware campaign highlights the persistent reality that adversaries exploit known vulnerabilities faster than many organizations can patch them. Beyond patching, identity security is a persistent weak point in defending against ransomware attacks."
He urges enterprises to implement Privileged Access Management (PAM) solutions and multi-factor authentication (MFA) and to enforce robust password policies to reduce the risk of account compromise.
Rom Carmel, Co-Founder of Apono, echoes this sentiment: "Ghost's credential theft is a stark reminder that hackers are always a step ahead. Stolen credentials remain the top breach factor, responsible for 24% of incidents in 2024. Organizations must enforce precise, rightsized privileges and limit the availability of access to high-value resources."
This highlights the importance of least-privilege access models and Just-in-Time (JIT) access controls to limit attack surfaces.
Lateral movement: the silent threat in critical infrastructure
Agnidipta Sarkar, VP of CISO Advisory at ColorTokens, points out that many critical infrastructure organizations fail to address lateral movement, a key enabler for Ghost ransomware: "Most critical infrastructure cybersecurity leadership, especially in OT, do not bother much about lateral movement, which is the key to success of this group. All they need is one successful attempt to gain initial access."
The advisory reinforces the need for network segmentation, continuous monitoring, and micro-segmentation strategies to block unauthorized movement within environments.
Mitigation strategies: what organizations must do
The FBI, CISA, and MS-ISAC recommend several critical actions to defend against Ghost ransomware.
1. Patching and vulnerability management
-
Apply timely security updates to operating systems, software, and firmware.
-
Prioritize fixing vulnerabilities exploited by Ghost, such as ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
2. Strengthening identity security
-
Enforce phishing-resistant MFA for all privileged accounts.
-
Use Privileged Access Management (PAM) solutions.
-
Require 16+ character unique passwords stored in an enterprise password manager.
-
Regularly audit and remove unused credentials and accounts.
3. Network segmentation and monitoring
-
Segment networks to prevent lateral movement.
-
Monitor for abnormal PowerShell and Cobalt Strike activity.
-
Disable unused ports like RDP 3389, FTP 21, SMB 445.
4. Endpoint and email security
-
Implement advanced email filtering to block malicious attachments.
-
Enforce DMARC, DKIM, and SPF to prevent spoofing.
-
Deploy endpoint detection and response (EDR) solutions.
5. Cybersecurity awareness and incident response
-
Train employees to recognize phishing attempts and social engineering.
-
Develop and test ransomware response plans.
-
Report ransomware incidents to the FBI Internet Crime Complaint Center (IC3), CISA, or MS-ISAC.
The Ghost (Cring) ransomware campaign is a rapidly evolving global threat affecting critical infrastructure, healthcare, government agencies, and businesses of all sizes. Attackers are exploiting known vulnerabilities, weak credentials, and lateral movement to maximize their impact.
Organizations must adopt a proactive, zero-trust approach to mitigate these risks before they escalate into business-disrupting incidents. Experts emphasize that the key lies in robust patching, identity security, and continuous monitoring.
For the latest updates and resources, visit StopRansomware.gov.
Follow SecureWorld News for more stories related to cybersecurity.
