Ransomware Ghost Affects Companies in Over 70 Countries, Warns FBI and CISA.
Ransomware groups often frequently changed their names and the encryption methods they used.
U.S. security agencies, such as the FBI and CISA, have issued a warning regarding the operations of cybercriminal groups responsible for the Ghost ransomware, which has affected organizations in over 70 countries. The alert indicates that these entities are primarily targeting critical infrastructure, but also have an interest in sectors such as healthcare, government, technology, and manufacturing. The victims of these attacks can be both large corporations and small to medium-sized enterprises.
Since early 2021, the actors behind Ghost have been targeting victims whose online services were operating with outdated software and firmware versions. This kind of indiscriminate targeting has facilitated the invasion of vulnerable networks, resulting in the impact of numerous organizations across various countries, including China.
The challenge in attributing these attacks to a single group lies in the fact that cybercriminals use different names, file extensions, ransom notes, and other elements. Among the names used are Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Investigators have also identified several encryption executables, such as Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
The attackers have employed tactics that include exploiting unpatched endpoints, primarily focusing on vulnerabilities in Fortinet, ColdFusion, and Exchange products. The best strategy to defend against this type of ransomware is to keep both software and hardware updated. Almost all of the mentioned vulnerabilities have been patched by the vendors, so applying a patch can significantly reduce the risk.
Additionally, it has been reported that state-sponsored hackers have also exploited the vulnerability CVE-2018-13379 to compromise, among other targets, online electoral support systems in the United States. This flaw was patched years ago, and Fortinet has warned about its abuse on several occasions during the years 2019, 2020, and 2021.
