CISA and FBI: Ghost ransomware breached orgs in 70 countries

CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations.

Other industries impacted include healthcare, government, education, technology, manufacturing, and numerous small and medium-sized businesses.

"Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware," CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) said in a joint advisory released on Wednesday.

"This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China."

Ghost ransomware operators frequently rotate their malware executables, change the file extensions of encrypted files, alter the contents of their ransom notes, and utilize multiple email addresses for ransom communications, which has often led to fluctuating attribution of the group over time.

Names linked to this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture, with ransomware samples used in their attacks including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

This financially motivated ransomware group leverages publicly accessible code to exploit security flaws in vulnerable servers. They target vulnerabilities left unpatched in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

To defend against Ghost ransomware attacks, network defenders are advised to take the following measures:

1. Make regular and off-site system backups that can't be encrypted by ransomware,
2. Patch operating system, software, and firmware vulnerabilities as soon as possible,
3. Focus on security flaws targeted by Ghost ransomware (i.e., CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207),
4. Segment networks to limit lateral movement from infected devices,
5. Enforce phishing-resistant multi-factor authentication (MFA) for all privileged accounts and email services accounts.

Right after Amigo_A and Swisscom's CSIRT team first spotted Ghost ransomware in early 2021, their operators were dropping custom Mimikatz samples, followed by CobaltStrike beacons, and deploying ransomware payloads using the legitimate Windows CertUtil certificate manager to bypass security software.

In addition to being exploited for initial access in Ghost ransomware attacks, state-backed hacking groups that scanned for vulnerable Fortinet SSL VPN appliances also targeted the CVE-2018-13379 vulnerability.

Attackers also abused the same security vulnerability to breach Internet-exposed U.S. election support systems reachable over the Internet.

Fortinet warned customers to patch their SSL VPN appliances against CVE-2018-13379 multiple times in August 2019, July 2020, November 2020, and again in April 2021.

The joint advisory issued by CISA, the FBI, and MS-ISAC today also includes indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods linked to previous Ghost ransomware activity identified during FBI investigations as recently as January 2025.