Ghost
Ghost (also known as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture) is ransomware group originating from China that exploits outdated software vulnerabilities to target organizations worldwide.
The origin of Ghost ransomware
Ghost is a financially motivated threat group that emerged in early 2021. The group is believed to operate from China and is known for its fast-moving and highly opportunistic attacks. Unlike some ransomware actors that establish long-term persistence, Ghost operators typically infiltrate a network, deploy their ransomware, and exit within just a few days, according to CISA. By exploiting outdated software vulnerabilities, they rapidly escalate privileges, disable security defenses, and encrypt critical files, leaving victims with little time to respond. Their goal is simple: maximize financial gain as quickly as possible before defenders can detect and mitigate the attack.
Countries targeted by Ghost
Ghost has compromised organizations in over 70 countries, with confirmed attacks in China and numerous other locations.
Industries targeted by Ghost
Ghost ransomware actors target a broad spectrum of industries, including critical infrastructure, education, healthcare, government networks, religious institutions, technology, and manufacturing. Small- and medium-sized businesses are also frequently affected.
Ghost's victims
While specific victim names are not always disclosed, Ghost ransomware incidents have impacted organizations across various sectors. Given the focus on financial extortion, victims often include institutions with valuable data and limited cybersecurity defenses.
Ghost's Attack Method
Ghost actors exploit vulnerabilities in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange (ProxyShell vulnerabilities) to gain unauthorized access.
Attackers use tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato to elevate privileges and impersonate high-level system users.
The group disables Windows Defender and other antivirus solutions, modifies security tools, and executes commands to remain undetected.
Ghost actors leverage Cobalt Strike’s “hashdump” feature and Mimikatz to steal login credentials.
The attackers conduct domain account discovery, process discovery, and network share enumeration using tools like SharpShares and Ladon 911.
PowerShell commands and Windows Management Instrumentation (WMI) are used to move across victim networks.
The ransomware is executed using PowerShell, Windows Command Shell, and uploaded web shells.
Although data theft is not a primary goal, some files are stolen via Cobalt Strike Team Servers and Mega.nz cloud storage.
The ransomware encrypts files using Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, rendering the victim's data inaccessible unless a ransom is paid.
Ghost actors exploit vulnerabilities in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange (ProxyShell vulnerabilities) to gain unauthorized access.
Attackers use tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato to elevate privileges and impersonate high-level system users.
The group disables Windows Defender and other antivirus solutions, modifies security tools, and executes commands to remain undetected.
Ghost actors leverage Cobalt Strike’s “hashdump” feature and Mimikatz to steal login credentials.
The attackers conduct domain account discovery, process discovery, and network share enumeration using tools like SharpShares and Ladon 911.
PowerShell commands and Windows Management Instrumentation (WMI) are used to move across victim networks.
The ransomware is executed using PowerShell, Windows Command Shell, and uploaded web shells.
Although data theft is not a primary goal, some files are stolen via Cobalt Strike Team Servers and Mega.nz cloud storage.
The ransomware encrypts files using Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, rendering the victim's data inaccessible unless a ransom is paid.
TTPs used by Ghost
How to Detect Ghost with Vectra AI
FAQs
How does Ghost (Cring) ransomware gain access to a network?
Ghost exploits known vulnerabilities in outdated software, such as Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange (ProxyShell vulnerabilities).
What industries are most targeted by Ghost ransomware?
Critical infrastructure, education, healthcare, government networks, religious institutions, technology, manufacturing, and small businesses.
Does Ghost ransomware exfiltrate data before encryption?
Ghost actors occasionally exfiltrate limited data, but large-scale data theft is not their primary objective.
What security vulnerabilities are commonly exploited by Ghost?
Some notable CVEs include:
- CVE-2018-13379 (Fortinet FortiOS)
- CVE-2010-2861, CVE-2009-3960 (Adobe ColdFusion)
- CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (Microsoft Exchange ProxyShell).
What tools does Ghost ransomware use?
Ghost actors utilize Cobalt Strike, Mimikatz, SharpZeroLogon, SharpGPPPass, BadPotato, GodPotato, and PowerShell-based scripts.
How can organizations defend against Ghost ransomware?
Organizations can defend against Ghost ransomware by implementing threat detection and response solutions that monitor for unusual activity, detect exploitation attempts, block malicious tools like Cobalt Strike, and enable rapid incident response to contain and mitigate attacks before encryption occurs.
How fast does Ghost ransomware operate?
In many cases, the attackers deploy ransomware within the same day of gaining initial access.
What is the typical ransom demand?
Ghost actors demand ransoms ranging from tens to hundreds of thousands of dollars, payable in cryptocurrency.
How do Ghost ransomware group communicate with victims?
They use encrypted email services (Tutanota, ProtonMail, Skiff, Mailfence, and Onionmail), and recently, they have also used TOX IDs for secure messaging.
Should organizations pay the ransom?
Cybersecurity agencies strongly discourage ransom payments, as they do not guarantee data recovery and may fund further criminal activities.