Since early 2021, organizations in the critical infrastructure, government, healthcare, education, technology, and manufacturing sectors across more than 70 countries have been targeted by the Ghost ransomware operation in attacks exploiting vulnerable internet-exposed systems since early 2021, reports BleepingComputer.
Intrusions by Ghost — also known as Cring, Crypt3r, Hello, HsHarada, Phantom, Rapture, Strike, and Wickrme — involved the abuse of known Fortinet FortiOS, Microsoft Exchange, and Adobe ColdFusion flaws to facilitate the deployment of the Cring.exe, ElysiumO.exe, Ghost.exe, and Locker.exe ransomware strains, according to a joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center.
The agencies have urged organizations to ensure regular and off-site backups, timely firmware, software, and operating system patching, prioritize remediation of Ghost-targeted vulnerabilities, implement network segmentation, and enable phishing-resistant multi-factor authentication to circumvent potential Ghost ransomware intrusions.
The federal alert comes four years after Amigo_A and Swisscom's CSIRT team reported the Ghost ransomware gang deployed Mimikatz samples before proceeding with Cobalt Strike and ransomware compromise.
