U.S. authorities have published an alert concerning the Ghost ransomware group based in China, which has executed ransomware attacks in about 70 countries on several industries such as healthcare, religious institutions, education, manufacturing, technology, and government systems.
The ransomware group, also called Crypt3r, Cring, Hello, Phantom, Strike, HsHarada, Wickrme, and Rapture, started its operations in 2021. Its victims consist of small- to medium-sized companies. As per the joint cybersecurity notification published by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), the Ghost ransomware group performs attacks indiscriminately, targeting internet-facing servers of companies with poor security.
The ransomware group utilizes publicly offered exploits for several vulnerabilities with some dating back to 2009. The group has exploited vulnerabilities in Adobe ColdFusion servers (CVE-2009-3960 and CVE2010-2861), Fortinet FortiOS appliances (CVE-2018-13379), Microsoft Exchange (CVE-2021-34523, CVE2021-34473, and CVE-2021-31207), and Microsoft SharePoint (CVE-2019-0604).
As opposed to several ransomware groups, Ghost actors put priority on speed and do not wait too long, frequently implementing their ransomware payloads on the day they gain initial access to a victim’s system. Lately, the group is seen implementing web shells on web servers of attacked entities, making new local and website accounts, and altering passwords for active accounts.
Ghost actors use Cobalt Strike to determine system functions and ant-virus solutions, which are then deactivated, which include deactivating Windows Defender on devices connected to the network. Ghost actors employ Cobalt Strike features to steal process tokens operating under the SYSTEM user framework to imitate the SYSTEM user and execute Beacon again with higher privileges. They were likewise noticed using a variety of open-source applications for escalating privileges, some of which were not normally used by respectable users, for example, BadPotato, SharpZeroLogon, and GodPotato. Ghost actors frequently use Windows Management Instrumentation Command-Line (WMIC) to manage PowerShell commands on added network systems. If lateral movement cannot be done, attacks are abandoned and the group doesn’t seem to spend time trying to break into secured systems.
Although numerous ransomware groups spend time identifying and extracting large volumes of sensitive data, data extraction is usually minimal. Although Ghost actors also issue threats to leak stolen data, they do not usually steal sensitive data like intellectual property or personally identifying information (PII), restricting the damage brought on by data leaks. The primary goal of attacks is data encryption to get a ransom as payment for the decryption keys. Ransom payments required usually range from $10,000 to $100.000.
The cybersecurity alert consists of Indicators of Compromise (IoCs) and proposed mitigations. It also includes a call to enhance baseline security by promptly patching identified vulnerabilities, HIPAA training for the workforce to include recognition of phishing attacks, utilizing phishing-proof multifactor authentication on privileged and email accounts, isolating networks to stop lateral movement, and routinely backing up files, making sure backups aren’t accessible from source systems.
