Update, Feb. 21, 2025: This article, first released on Feb. 20, now features insights from various cybersecurity experts regarding the FBI’s alert about Ghost ransomware.

Phishing, social engineering, scams, or whatever terminology you may prefer for those “click here” schemes widely used by cybercriminals is just one of many security concerns that demands your attention. While it should be obvious, overlooking other attack vectors is akin to ignoring a thief who snatches your beach toys right in front of you.

The Federal Bureau of Investigation has recently released a crucial advisory regarding a particularly menacing ransomware threat referred to as Ghost. Here’s everything you need to know and what urgent actions the FBI recommends to ensure your protection against this cyber menace.

ForbesMost Sophisticated Gmail Attacks Ever—FBI Says: Do Not Click AnythingBy Davey Winder

FBI Issues Urgent Ghost Ransomware Security Alert

A collaborative security advisory released on Feb. 19 by the FBI and the Cybersecurity and Infrastructure Security Agency (AA25-050A) has alerted organizations globally about a hazardous ransomware group known as Ghost, which is actively executing attacks across more than 70 countries, targeting various industry sectors.

According to the FBI, these cybercriminals operate from China and use a variety of aliases, with Ghost being the most recognized. They also go by names such as Cring, Crypt3r, Phantom, and more. However, their attack strategy remains consistent. Unlike most ransomware groups that typically utilize phishing tactics, Ghost opts for publicly accessible code to exploit existing security flaws in unpatched software and firmware. This approach allows them to infiltrate internet-exposed servers before delivering the ransomware payload.

“The FBI has noted that Ghost actors gain initial access to networks by targeting publicly exposed applications linked to multiple Common Vulnerabilities and Exposures,” stated the advisory. “Their tactics include exploiting vulnerabilities in Fortinet FortiOS appliances, as well as servers running Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange, commonly identified in the ProxyShell attack vector.”

ForbesRestrict Network Access As World’s Fastest-Rising Ransomware StrikesBy Davey Winder

Expert Reactions to the FBI’s Ghost Advisory

“Ghost represents a significant threat from a nation-state actor that organizations must take steps to defend against,” stated Juliette Hudson, Chief Technology Officer at CybaVerse. “This group’s active exploitation of known vulnerabilities in widely used technology underscores the urgent need for organizations to prioritize patching and remediation.” The challenge lies in that “the Ghost ransomware campaign emphasizes a harsh reality: adversaries are exploiting known vulnerabilities faster than many organizations can address them,” warned Darren Guccione, CEO of Keeper Security. This highlights the necessity for proactive risk management, requiring security teams to consistently update and strengthen their software, firmware, and identity systems against potential breaches. Guccione further added, “Beyond patching, identity security remains a critical vulnerability against ransomware. Enterprises must implement privileged access management solutions featuring multi-factor authentication, a zero-trust framework, and least-privilege access controls to hinder lateral movement.”

Joe Silva, CEO at Spektion, concurred that the Ghost ransomware incidents spotlight how threat actors exploit the “patch fatigue” experienced by overwhelmed security teams. “This indicates that traditional vulnerability management methods fail to keep pace with the surge in exploitable vulnerabilities,” Silva cautioned. “Organizations require real-time, contextual insights into how their software operates within their specific environments and should utilize tools that provide a strong ‘signal to noise’ ratio based on actual risks rather than overwhelming potential risks.”

Rom Carmel, CEO at Apono, emphasized that Ghost’s credential theft illustrates how hackers are often one step ahead. “By compromising legitimate accounts, they can delve deeper into networks and target an organization’s most sensitive assets,” Carmel warned. “To mitigate the impact of account breaches, organizations need to not only authenticate access but also enforce precise, tailored privileges and restrict access to high-value resources.”

ForbesNew Mac Infostealer Warning—Do Not Visit These SitesBy Davey Winder

In conclusion, Tim Mackey, head of software supply chain risk strategy at Black Duck, stated that attacks on legacy cyber-physical and Internet of Things devices should be anticipated and integrated into the operational planning of the devices. “Attackers are aware that best practices evolve,” Mackey noted, “and even highly secure devices from years past may now be vulnerable to modern threats, let alone those that may emerge in the future.” Given that the effective lifespan of any cyber-physical device is measured in years, if not decades, “organizations must collaborate closely with their suppliers to establish a long-term operational and risk mitigation strategy, ensuring not only patch availability but also active threat scenario data sharing,” Mackey concluded.

Immediate Actions Recommended by the FBI

The FBI has outlined a set of critical actions organizations should implement urgently to reduce the risks associated with this formidable ransomware campaign:

1. Conduct regular system backups stored in a secure location separate from the primary systems, ensuring that these cannot be modified or encrypted by potentially compromised network devices.
2. Address known vulnerabilities by promptly applying security updates to operating systems, applications, and firmware within a risk-informed timeframe.
3. Segment networks to limit lateral movement from initially compromised devices to other systems within the organization.
4. Enforce Phishing-Resistant Multi-Factor Authentication (MFA) for accessing privileged accounts and email services.

ForbesHomeland Security Alert—Ongoing Critical Microsoft Outlook AttackBy Davey Winder

“Ghost represents a notable threat from a nation-state actor that organizations must proactively guard against,” emphasized Juliette Hudson, Chief Technology Officer at CybaVerse. “The group is exploiting known vulnerabilities in prevalent technologies, underscoring the urgent requirement for organizations to prioritize patching and remediation.”

“This advisory from the FBI and CISA points to the fact that the Ghost ransomware operation is leveraging vulnerability exploits for access, a departure from typical ransomware strategies that rely on social engineering,” Simon Phillips, Chief Technology Officer at SecureAck, stated. “Considering that Ghost targets products designed for businesses and the vulnerabilities being exploited are outdated, this signals an immediate need to strengthen basic security measures.”