The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions, according to a joint advisory issued Wednesday by the FBI and US Cybersecurity and Infrastructure Security Agency.
The Feds warned orgs to beware of this spectral menace, which is known to have infected critical infrastructure and entities in every sector of a typical economy, and which has been observed scoring ransoms as recently as January. It is said to have racked up victims in more than 70 countries, including some in its China homeland.
Ghost first appeared in 2021, and according to the Feds, the gang will “rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time.”
The Chinese group has therefore been identified as Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture over time.
The group’s favored tactics, however, remain consistent: It targets unpatched systems to exploit known vulnerabilities that allow it to infect targets. The group’s favorite flaws are:
If you have applied patches for those problems, or have adopted some other security controls, it’s likely that Ghost will float right past your org and onto its next potential victim.
“Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral movement to other devices,” the FBI and CISA noted.
If that description isn’t an accurate representation of your infrastructure, here’s what to expect if the Ghost gang targets you.
After a initial compromise using known flaws, Ghost uploads a web shell backdoor to the compromised server, allowing the gang to use Windows Command Prompt and/or PowerShell to execute Cobalt Strike Beacon on that victim’s Microsoft-powered system. A likely next move will be to use Cobalt Strike functionality to steal process tokens belonging to SYSTEM users. If Ghost gets those tokens, they’ll use the elevated privileges they confer to move laterally through the network, run PowerShell commands on additional systems and infect more devices with Cobalt Strike.
Cobalt Strike is a legitimate security-testing tool though is favored by criminals who use cracked versions to deploy malware, move laterally across networks, and do other dirty deeds. Ghost uses the software to display a list of running processes, collect passwords that allow it to access more devices, and disable any antivirus software on compromised machines.
The advisory contains a long list of indicators of compromise, including MD5 file hashes associated with Ghost ransomware activity and email addresses used in Ghost ransom notes. Pay attention, people.
The document also advises some “Infosec 101” tactics such as patching known vulnerabilities and maintaining system backups. “Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to restore operations without needing to contact Ghost actors or pay a ransom,” the Feds said.
It’s also a good idea to monitor your networks for unauthorized use of PowerShell, and the NSA and CISA have released a best-practices guide to help. ®