73/68 Monday, February 24, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about Ghost Ransomware, a ransomware group linked to China that is rapidly spreading across more than 70 countries worldwide. This group is notable for its ability to escalate from initial network access to a full-scale attack within just one day—significantly faster than typical ransomware groups. High-risk targets include critical infrastructure, hospitals, educational institutions, government agencies, and technology companies that continue to use outdated software or firmware with known vulnerabilities.
CISA reports that Ghost Ransomware exploits unpatched system vulnerabilities—such as those in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and ProxyShell in Microsoft Exchange Server—to infiltrate networks. It then employs Cobalt Strike, a tool popular among cybercriminals for penetration testing, as the basis for its attack, deploying ransomware and initiating ransom demands. Although the group has threatened to leak stolen data, CISA found that there is generally little actual data theft, suggesting that these threats are primarily pressure tactics to coerce victims into paying the ransom.
Security experts advise organizations to urgently update their security patches to reduce risk and to monitor for indicators of compromise (IoC) associated with Ghost Ransomware. CISA further warns that this ransomware group is capable of rapidly adapting its tactics—for example, by changing the file extensions of encrypted files and using multiple email addresses for ransom communications. Therefore, organizations should adopt proactive security measures, such as threat scanning and monitoring for unauthorized use of Cobalt Strike within their networks, to prevent attacks.
Source https://www.darkreading.com/cyberattacks-data-breaches/ghost-ransomware-targets-orgs-70-countries
