Introduction
The “Ghost” ransomware group [1] [2] [3] [4] [6] [8] [9], also known by various aliases such as Cring, Crypt3r [2] [3] [8] [9], and Phantom, is a financially motivated threat actor originating from China [5]. Since early 2021 [1] [4] [7] [9] [10], they have been responsible for numerous cyberattacks targeting critical infrastructure and various sectors worldwide. Their operations have continued into 2025, exploiting vulnerabilities in widely used software to infiltrate networks and deploy ransomware.
Description
The “Ghost” ransomware group [1] [2] [3] [4] [6] [8] [9], also known as Cring [1] [2] [3] [4] [9], Crypt3r [2] [3] [8] [9], Phantom [2] [3] [8] [9], Strike [1] [2] [3] [5] [6] [8] [9] [10], Hello [2] [3] [8] [9], Wickrme [2] [3] [8] [9], HsHarada [2] [3] [8] [9], and Rapture [2] [3] [8] [9], is a financially motivated threat group based in China that has been conducting widespread attacks since early 2021, with recent activities reported as of January 2025 [3]. This group targets critical infrastructure, government [1] [3] [4] [5] [7] [8], healthcare [1] [3] [4] [6] [7] [8] [10], educational institutions [3], religious organizations [3], technology firms [3], manufacturing companies [3] [7] [8], and small- to medium-sized businesses across more than 70 countries, including within China [3] [5]. They primarily exploit unpatched vulnerabilities in internet-facing services [8], particularly in Fortinet FortiOS (CVE-2018-13379) [1] [8] [10], Adobe ColdFusion (CVE-2010-2861 [1] [3] [10], CVE-2009-3960) [1] [3] [8] [10], and Microsoft Exchange (CVE-2021-34473 [1] [3] [8] [10], CVE-2021-34523 [1] [3] [8] [10], CVE-2021-31207) [1] [3] [8] [10], as well as Microsoft SharePoint (CVE-2019-0604) and other known vulnerabilities.
Ghost actors employ a range of tactics [1], techniques [1] [4] [7] [9] [10], and procedures (TTPs) to execute their attacks [1], focusing on internet-facing applications and leveraging Common Vulnerabilities and Exposures (CVEs) to gain access. Upon gaining initial access [1] [2] [5] [10], they typically deploy web shells, including a variation of Chunk-Proxy, and utilize Cobalt Strike beacons to establish persistence within compromised networks. They often move quickly from initial compromise to execution, deploying ransomware within days [9]. Techniques such as uploading web shells [9], using legitimate cybersecurity tools like Cobalt Strike for access [6], and employing tools like Mimikatz for credential dumping and privilege escalation are common. While they occasionally claim to exfiltrate data, significant data exfiltration is rare [10], with reports indicating limited downloads of sensitive information. The FBI has noted the group’s sporadic use of Mega.nz for data exfiltration, and they have also started using encrypted email services like Tutanota and ProtonMail for ransom communications since August 2024.
To obfuscate their activities [4], Ghost operators rotate ransomware executable payloads, change file extensions for encrypted files [3] [4] [5], modify ransom note text [4] [9], and use multiple ransom email addresses [3] [4], complicating attribution efforts [4]. They disable antivirus software and Windows Defender using specific PowerShell commands to evade detection [10], and they conduct discovery using built-in Cobalt Strike commands and open-source tools for network and remote system exploration [10]. For lateral movement [1] [2] [5] [10], they leverage elevated access and Windows Management Instrumentation Command-Line (WMIC) to execute commands across the network [10].
Ghost ransom notes frequently threaten to sell exfiltrated data if a ransom is not paid [2], although actual data exfiltration is limited [9]. The group primarily relies on Cobalt Strike for command and control operations [1] [10], utilizing HTTP and HTTPS for communication [1] [10]. Ransomware executables used by Ghost include Cring.exe [1] [5], Ghost.exe [1] [5] [8] [10], ElysiumO.exe [1] [5] [8] [10], and Locker.exe [1] [5] [8] [10], which encrypt files and directories [10], often clearing Windows Event Logs and disabling recovery options [10]. Ransom demands typically range from tens to hundreds of thousands of dollars in cryptocurrency [10]. The impact of their attacks varies; while some organizations face data encryption and operational disruptions [3], others with robust backup solutions can restore operations without paying a ransom [3]. Ghost actors shift targets when faced with hardened defenses [10].
Organizations are encouraged to implement mitigations such as maintaining regular offline backups [10], timely patching of vulnerabilities [1] [3] [10], and setting network security tools to alert for the activation of Cobalt Strike and privilege escalation applications [6]. Specifically, organizations should prioritize patching vulnerabilities actively exploited by Ghost [3], including CVE-2018-13379 (Fortinet FortiOS) [3], CVE-2010-2861 and CVE-2009-3960 (Adobe ColdFusion) [3], and CVE-2021-34473 [1] [3] [8] [10], CVE-2021-34523 [1] [3] [8] [10], and CVE-2021-31207 (Microsoft Exchange) [3]. Additionally, network segmentation [1] [10], phishing-resistant multi-factor authentication [1] [9], and monitoring for unauthorized PowerShell usage can enhance their cybersecurity posture against Ghost ransomware threats. An attack graph has been developed to emulate the Tactics [4], Techniques [1] [4] [7] [9] [10], and Procedures (TTPs) exhibited by Ghost ransomware [4] [7], aiding organizations in validating their security controls and enhancing their defenses against this sophisticated threat [4]. Continuous testing and assessment using this framework can help improve security posture and incident response processes against the activities of Ghost ransomware operators [4]. The FBI and CISA have identified specific indicators of compromise (IOCs) associated with Ghost operations, which include the use of specific tools and applications linked to their activities, as well as various ransomware executable payloads and modified ransom note texts [9].
Conclusion
The Ghost ransomware group poses a significant threat to global cybersecurity, with their sophisticated tactics and persistent attacks on various sectors. Organizations must remain vigilant, implementing robust security measures such as regular patching, network segmentation [1] [10], and multi-factor authentication to mitigate the risks posed by this group. As the threat landscape evolves, continuous assessment and adaptation of security strategies are essential to counteract the activities of Ghost and similar threat actors.
References
[1] https://www.assurantcyber.com/blog/aa25-050a/
[2] https://www.infosecurity-magazine.com/news/cisa-fbi-warn-global-threat-ghost/
[3] https://thecyberexpress.com/ghost-ransomware-attacks/
[4] https://www.attackiq.com/2025/02/20/cisa-aa25-050a-ghost-cring-ransomware/
[5] https://www.picussecurity.com/resource/blog/ghost-ransomware-analysis-cisa-alert-aa25-050a
[6] https://www.aha.org/news/headline/2025-02-20-agencies-warn-ghost-ransomware-activity
[7] https://www.cybersecurity-review.com/stopransomware-ghost-cring-ransomware/
[8] https://www.techradar.com/pro/security/ghost-ransomware-has-hit-firms-in-over-70-countries-fbi-and-cisa-warn
[9] https://www.techtarget.com/searchSecurity/news/366619496/CISA-FBI-warn-of-Ghost-Cring-ransomware-attacks
[10] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
