Ghost
Ghost (also known as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture) is ransomware group originating from China that exploits outdated software vulnerabilities to target organizations worldwide.
The origin of Ghost ransomware
Ghost is a financially motivated threat group that emerged in early 2021. The group is believed to operate from China and is known for its fast-moving and highly opportunistic attacks. Unlike some ransomware actors that establish long-term persistence, Ghost operators typically infiltrate a network, deploy their ransomware, and exit within just a few days, according to CISA. By exploiting outdated software vulnerabilities, they rapidly escalate privileges, disable security defenses, and encrypt critical files, leaving victims with little time to respond. Their goal is simple: maximize financial gain as quickly as possible before defenders can detect and mitigate the attack.
Targets
Ghost's targets
Countries targeted by Ghost
Ghost has compromised organizations in over 70 countries, with confirmed attacks in China and numerous other locations.
Industries targeted by Ghost
Ghost ransomware actors target a broad spectrum of industries, including critical infrastructure, education, healthcare, government networks, religious institutions, technology, and manufacturing. Small- and medium-sized businesses are also frequently affected.
Industries targeted by Ghost
Ghost ransomware actors target a broad spectrum of industries, including critical infrastructure, education, healthcare, government networks, religious institutions, technology, and manufacturing. Small- and medium-sized businesses are also frequently affected.
Ghost's victims
While specific victim names are not always disclosed, Ghost ransomware incidents have impacted organizations across various sectors. Given the focus on financial extortion, victims often include institutions with valuable data and limited cybersecurity defenses.
Attack Method
Ghost's Attack Method
Ghost actors exploit vulnerabilities in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange (ProxyShell vulnerabilities) to gain unauthorized access.
Attackers use tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato to elevate privileges and impersonate high-level system users.
The group disables Windows Defender and other antivirus solutions, modifies security tools, and executes commands to remain undetected.
Ghost actors leverage Cobalt Strike’s “hashdump” feature and Mimikatz to steal login credentials.
The attackers conduct domain account discovery, process discovery, and network share enumeration using tools like SharpShares and Ladon 911.
PowerShell commands and Windows Management Instrumentation (WMI) are used to move across victim networks.
The ransomware is executed using PowerShell, Windows Command Shell, and uploaded web shells.
Although data theft is not a primary goal, some files are stolen via Cobalt Strike Team Servers and Mega.nz cloud storage.
The ransomware encrypts files using Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, rendering the victim's data inaccessible unless a ransom is paid.
Initial Access
Ghost actors exploit vulnerabilities in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange (ProxyShell vulnerabilities) to gain unauthorized access.
Privilege Escalation
Attackers use tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato to elevate privileges and impersonate high-level system users.
Defense Evasion
The group disables Windows Defender and other antivirus solutions, modifies security tools, and executes commands to remain undetected.
Credential Access
Ghost actors leverage Cobalt Strike’s “hashdump” feature and Mimikatz to steal login credentials.
Discovery
The attackers conduct domain account discovery, process discovery, and network share enumeration using tools like SharpShares and Ladon 911.
Lateral Movement
PowerShell commands and Windows Management Instrumentation (WMI) are used to move across victim networks.
Collection
Execution
The ransomware is executed using PowerShell, Windows Command Shell, and uploaded web shells.
Exfiltration
Although data theft is not a primary goal, some files are stolen via Cobalt Strike Team Servers and Mega.nz cloud storage.
Impact
The ransomware encrypts files using Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, rendering the victim's data inaccessible unless a ransom is paid.
MITRE ATT&CK Mapping
TTPs used by Ghost
TA0001: Initial Access
T1190
Exploit Public-Facing Application
TA0002: Execution
T1059
Command and Scripting Interpreter
T1047
Windows Management Instrumentation
TA0003: Persistence
T1505
Server Software Component
T1136
Create Account
T1098
Account Manipulation
TA0004: Privilege Escalation
T1134
Access Token Manipulation
T1068
Exploitation for Privilege Escalation
TA0005: Defense Evasion
T1134
Access Token Manipulation
T1564
Hide Artifacts
T1562
Impair Defenses
TA0006: Credential Access
T1003
OS Credential Dumping
TA0007: Discovery
T1518
Software Discovery
T1135
Network Share Discovery
T1087
Account Discovery
T1057
Process Discovery
T1018
Remote System Discovery
TA0008: Lateral Movement
No items found.
TA0009: Collection
No items found.
TA0011: Command and Control
T1573
Encrypted Channel
T1132
Data Encoding
T1105
Ingress Tool Transfer
T1071
Application Layer Protocol
TA0010: Exfiltration
T1567
Exfiltration Over Web Service
T1041
Exfiltration Over C2 Channel
TA0040: Impact
T1486
Data Encrypted for Impact
Platform Detections
How to Detect Ghost with Vectra AI
FAQs
How does Ghost (Cring) ransomware gain access to a network?
Ghost exploits known vulnerabilities in outdated software, such as Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange (ProxyShell vulnerabilities).
What industries are most targeted by Ghost ransomware?
Critical infrastructure, education, healthcare, government networks, religious institutions, technology, manufacturing, and small businesses.
Does Ghost ransomware exfiltrate data before encryption?
Ghost actors occasionally exfiltrate limited data, but large-scale data theft is not their primary objective.
What security vulnerabilities are commonly exploited by Ghost?
Some notable CVEs include:
- CVE-2018-13379 (Fortinet FortiOS)
- CVE-2010-2861, CVE-2009-3960 (Adobe ColdFusion)
- CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (Microsoft Exchange ProxyShell).
What tools does Ghost ransomware use?
Ghost actors utilize Cobalt Strike, Mimikatz, SharpZeroLogon, SharpGPPPass, BadPotato, GodPotato, and PowerShell-based scripts.
How can organizations defend against Ghost ransomware?
Organizations can defend against Ghost ransomware by implementing threat detection and response solutions that monitor for unusual activity, detect exploitation attempts, block malicious tools like Cobalt Strike, and enable rapid incident response to contain and mitigate attacks before encryption occurs.
How fast does Ghost ransomware operate?
In many cases, the attackers deploy ransomware within the same day of gaining initial access.
What is the typical ransom demand?
Ghost actors demand ransoms ranging from tens to hundreds of thousands of dollars, payable in cryptocurrency.
How do Ghost ransomware group communicate with victims?
They use encrypted email services (Tutanota, ProtonMail, Skiff, Mailfence, and Onionmail), and recently, they have also used TOX IDs for secure messaging.
Should organizations pay the ransom?
Cybersecurity agencies strongly discourage ransom payments, as they do not guarantee data recovery and may fund further criminal activities.