{"uuid": "d41ef7ed-39b6-4408-a718-2c3bce5fc99e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "StopRansomware: Ghost (Cring) Ransomware | CISA", "description": "# StopRansomware: Ghost (Cring) Ransomware | CISA                         \n\nCybersecurity Advisory\n\nRelease Date\n\nFebruary 19, 2025\n\nAlert Code\n\nAA25-050A\n\n#### Actions for Organizations to Take Today to Mitigate Cyber Threats Related to Ghost (Cring) Ransomware Activity\n\n1.  Maintain regular system backups stored separately from the source systems which cannot be altered or encrypted by potentially compromised network devices \\[CPG 2.R\\].\n2.  Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe \\[CPG 2.F\\].\n3.  Common Vulnerabilities and Exposures (CVE): CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.\n4.  Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization \\[CPG 2.F\\].\n5.  Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.\n\n**Summary**\n-----------\n\n_**Note:** This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit_\u00a0[_stopransomware.gov_](https://www.cisa.gov/stopransomware \"#StopRansomware\") _to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources._\n\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)\u2014(\u201cGhost\u201d)\u2014ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.\n\nBeginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.\n\nGhost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.\n\nGhost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.\n\nThe FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the **Mitigations** section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.\n\n\n**Technical Details**\n---------------------\n\n**Note:** This advisory uses the\u00a0[MITRE ATT&CK\u00ae Matrix for Enterprise](https://attack.mitre.org/versions/v16/ \"MITRE ATT&CK\u00ae Matrix for Enterprise\") framework, version 16.1. See the **MITRE ATT&CK Tactics and Techniques** section of this advisory for a table of the threat actors\u2019 activity mapped to MITRE ATT&CK tactics and techniques.\n\n### Initial Access\n\nThe FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple CVEs \\[[T1190](https://attack.mitre.org/versions/v16/techniques/T1190/ \"Exploit Public-Facing Application\")\\]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances ([CVE-2018-13379](https://nvd.nist.gov/vuln/detail/CVE-2018-13379 \"CVE-2018-13379\")), servers running Adobe ColdFusion ([CVE-2010-2861](https://nvd.nist.gov/vuln/detail/CVE-2010-2861 \"CVE-2010-2861\") and\u00a0[CVE-2009-3960](https://nvd.nist.gov/vuln/detail/CVE-2009-3960 \"CVE-2009-3960\")), Microsoft SharePoint ([CVE-2019-0604](https://nvd.nist.gov/vuln/detail/CVE-2019-0604 \"CVE-2019-0604\")), and Microsoft Exchange ([CVE-2021-34473](https://nvd.nist.gov/vuln/detail/CVE-2021-34473 \"CVE-2021-34473\"),\u00a0[CVE-2021-34523](https://nvd.nist.gov/vuln/detail/CVE-2021-34523 \"CVE-2021-34523\"), and\u00a0[CVE-2021-31207](https://nvd.nist.gov/vuln/detail/CVE-2021-31207 \"CVE-2021-31207\")\u2014 commonly referred to as the ProxyShell attack chain).\n\n### Execution\n\nGhost actors have been observed uploading a web shell \\[[T1505.003](https://attack.mitre.org/versions/v16/techniques/T1505/003/ \"Server Software Component: Web Shell\")\\] to a compromised server and leveraging Windows Command Prompt \\[[T1059.003](https://attack.mitre.org/versions/v16/techniques/T1059/003/ \"Command and Scripting Interpreter: Windows Command Shell\")\\] and/or PowerShell \\[[T1059.001](https://attack.mitre.org/versions/v16/techniques/T1059/001/ \"Command and Scripting Interpreter: PowerShell\")\\] to download and execute\u00a0[Cobalt Strike](https://attack.mitre.org/software/S0154/ \"Cobalt Strike\") Beacon malware \\[[T1105](https://attack.mitre.org/versions/v16/techniques/T1105/ \"Ingress Tool Transfer\")\\] that is then implanted on victim systems. Despite Ghost actors\u2019 malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used for the purposes of testing an organization\u2019s security controls.\n\n### Persistence\n\nPersistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local \\[[T1136.001](https://attack.mitre.org/versions/v16/techniques/T1136/001/ \"Create Account: Local Account\")\\] and domain accounts \\[[T1136.002](https://attack.mitre.org/versions/v16/techniques/T1136/002/ \"Create Account: Domain Account\")\\] and change passwords for existing accounts \\[[T1098](https://attack.mitre.org/versions/v16/techniques/T1098/ \"Account Manipulation\")\\]. In 2024, Ghost actors were observed deploying web shells \\[[T1505.003](https://attack.mitre.org/versions/v16/techniques/T1505/003/ \"Server Software Component: Web Shell\")\\] on victim web servers.\n\n### Privilege Escalation\n\nGhost actors often rely on built in Cobalt Strike functions to steal process tokens running under the\u00a0SYSTEM user context to impersonate the\u00a0SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges \\[[T1134.001](https://attack.mitre.org/versions/v16/techniques/T1134/001/ \"Access Token Manipulation: Token Impersonation/Theft\")\\].\n\nGhost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation \\[[T1068](https://attack.mitre.org/versions/v16/techniques/T1068/ \"Exploitation for Privilege Escalation\")\\]\u00a0such as \u201c[SharpZeroLogon](https://github.com/leitosama/SharpZeroLogon \"SharpZeroLogon\"),\u201d \u201cSharpGPPPass,\u201d \u201c[BadPotato](https://github.com/BeichenDream/BadPotato \"BadPotato\"),\u201d and \u201c[GodPotato](https://github.com/BeichenDream/GodPotato \"GodPotato\").\u201d These privilege escalation tools would not generally be used by individuals with legitimate access and credentials.\u00a0\n\nSee\u00a0**Table 1** for a descriptive listing of tools.\n\n### Credential Access\n\nGhost actors use the built in Cobalt Strike function \u201chashdump\u201d or\u00a0[Mimikatz](https://attack.mitre.org/versions/v16/software/S0002/ \"Mimikatz\") \\[[T1003](https://attack.mitre.org/versions/v16/techniques/T1003/ \"OS Credential Dumping\")\\] to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices.\n\n### Defense Evasion\n\nGhost actors used their access through Cobalt Strike to display a list of running processes \\[[T1057](https://attack.mitre.org/versions/v16/techniques/T1057/ \"Process Discovery\")\\] to determine which antivirus software \\[[T1518.001](https://attack.mitre.org/versions/v16/techniques/T1518/001/ \"Software Discovery: Security Software Discovery\")\\] is running so that it can be disabled \\[[T1562.001](https://attack.mitre.org/versions/v16/techniques/T1562/001/ \"Impair Defenses: Disable or Modify Tools\")\\]. Ghost frequently runs a command to disable Windows Defender on network connected devices. Options used in this command are:\u00a0Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.\n\n### Discovery\n\nGhost actors have been observed using other built-in Cobalt Strike commands for domain account discovery \\[[T1087.002](https://attack.mitre.org/versions/v16/techniques/T1087/002/ \"Account Discovery: Domain Account\")\\], open-source tools such as \u201c[SharpShares](https://github.com/mitchmoser/SharpShares \"SharpShares\")\u201d for network share discovery \\[[T1135](https://attack.mitre.org/versions/v16/techniques/T1135/ \"Network Share Discovery\")\\], and \u201c[Ladon 911](https://github.com/k8gege/Ladon)\u201d and \u201c[SharpNBTScan](https://github.com/BronzeTicket/SharpNBTScan \"SharpNBTScan\")\u201d for remote systems discovery \\[[T1018](https://attack.mitre.org/versions/v16/techniques/T1018/ \"Remote System Discovery\")\\]. Network administrators would be unlikely to use these tools for network share or remote systems discovery.\n\n### Lateral Movement\n\nGhost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) \\[[T1047](https://attack.mitre.org/versions/v16/techniques/T1047/ \"Windows Management Instrumentation\")\\] to run PowerShell commands on additional systems on the victim network\u2014 often for the purpose of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins with:\u00a0powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA\u2026\u00a0\\[[T1132.001](https://attack.mitre.org/versions/v16/techniques/T1132/001/ \"Data Encoding: Standard Encoding\")\\]\\[[T1564.003](https://attack.mitre.org/versions/v16/techniques/T1564/003/ \"Hide Artifacts: Hidden Window\")\\].\n\nThis string decodes to \u201c$s=New-Object IO.MemoryStream(,\\[Convert\\]::FromBase64String(\u201c\u201d and is involved with the execution of Cobalt Strike in memory on the target machine.\n\n**In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.**\n\n### Exfiltration\n\nGhost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked.\u00a0The FBI has observed limited downloading of data to Cobalt Strike Team Servers \\[[T1041](https://attack.mitre.org/versions/v16/techniques/T1041/ \"Exfiltration Over C2 Channel\")\\]. Victims and other trusted third parties have reported limited uses of\u00a0Mega.nz \\[[T1567.002](https://attack.mitre.org/versions/v16/techniques/T1567/002/ \"Exfiltration Over Web Service: Exfiltration to Cloud Storage\")\\] and installed web shells for similar limited data exfiltration.\u00a0**Note:** The typical data exfiltration is less than hundreds of gigabytes of data.\n\n### Command and Control\n\nGhost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) \\[[T1071.001](https://attack.mitre.org/versions/v16/techniques/T1071/001/ \"Application Layer Protocol: Web Protocols\")\\]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference the C2 server\u2019s IP address. For example,\u00a0http://xxx.xxx.xxx.xxx:80/Google.com where\u00a0xxx.xxx.xxx.xxx\u00a0represents the C2 server\u2019s IP address.\n\nFor email communication with victims, Ghost actors use legitimate email services that include traffic encryption features. \\[[T1573](https://attack.mitre.org/versions/v16/techniques/T1573/ \"Encrypted Channel\")\\] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.\n\n**Note:**\u00a0**Table 2** contains a list of Ghost ransom email addresses.\n\n### Impact and Encryption\n\nGhost actors use\u00a0Cring.exe, Ghost.exe,\u00a0ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality. Ghost variants can be used to encrypt specific directories or the entire system\u2019s storage \\[[T1486](https://attack.mitre.org/versions/v16/techniques/T1486/ \"Data Encrypted for Impact\")\\]. The nature of executables\u2019 operability is based on command line arguments used when executing the ransomware file. Various file extensions and system folders are excluded during the encryption process to avoid encrypting files that would render targeted devices inoperable.\n\nThese ransomware payloads clear Windows Event Logs \\[[T1070.001](https://attack.mitre.org/versions/v16/techniques/T1070/001/ \"Indicator Removal: Clear Windows Event Logs\")\\], disable the Volume Shadow Copy Service, and delete shadow copies to inhibit system recovery attempts \\[[T1490](https://attack.mitre.org/versions/v16/techniques/T1490/ \"Inhibit System Recovery\")\\]. Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software \\[[T1486](https://attack.mitre.org/versions/v16/techniques/T1486/ \"Data Encrypted for Impact\")\\].\n\nThe impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.\n\n**Indicators of Compromise (IOC)**\n----------------------------------\n\n**Table 1** lists several tools and applications Ghost actors have used for their operations. The use of these tools and applications on a network should be investigated further.\n\n**Note:** Authors of these tools generally state that they should not be used in illegal activity.\n\n_Table\u00a01: Tools Leveraged by Ghost Actors_\n\nName\n\nDescription\n\nSource\n\nCobalt Strike\n\nCobalt Strike is penetration testing software. Ghost\u00a0actors \u00a0use an unauthorized version of Cobalt Strike.\n\nN/A\n\nIOX\n\nOpen-source proxy, used to establish a reverse proxy to a Ghost C2 server from an internal victim device.\n\ngithub\\[.\\]com/EddieIvan01/iox\n\nSharpShares.exe\n\nSharpShares.exe is used to enumerate accessible network shares in a domain. Ghost actors use this primarily for host discovery.\n\ngithub\\[.\\]com/mitchmoser/SharpShares\n\nSharpZeroLogon.exe\n\nSharpZeroLogon.exe attempts to exploit\u00a0[CVE-2020-1472](https://nvd.nist.gov/vuln/detail/CVE-2020-1472 \"CVE-2020-1472\") and is run against a target Domain Controller.\n\ngithub\\[.\\]com/leitosama/SharpZeroLogon\n\nSharpGPPPass.exe\n\nSharpGPPPass.exe attempts to exploit\u00a0[CVE-2014-1812](https://nvd.nist.gov/vuln/detail/CVE-2014-1812 \"CVE-2014-1812\") and targets XML files created through Group Policy Preferences that may contain passwords.\n\nN/A\n\nSpnDump.exe\n\nSpnDump.exe is used to list service principal name identifiers, which Ghost actors use for service and hostname enumeration.\n\nN/A\n\nNBT.exe\n\nA compiled version of SharpNBTScan, a NetBIOS scanner. Ghost actors use this tool for hostname and IP address enumeration.\n\ngithub\\[.\\]com/BronzeTicket/SharpNBTScan\n\nBadPotato.exe\n\nBadPotato.exe is an exploitation tool used for privilege escalation.\n\ngithub\\[.\\]com/BeichenDream/BadPotato\n\nGod.exe\n\nGod.exe is a compiled version of GodPotato and is used for privilege escalation.\n\ngithub\\[.\\]com/BeichenDream/GodPotato\n\nHFS (HTTP File Server)\n\nA portable web server program that Ghost\u00a0actors\u00a0use to host files for remote access and exfiltration.\n\nrejitto\\[.\\]com/hfs\n\nLadon 911\n\nA multifunctional scanning and exploitation tool, often used by Ghost actors with the\u00a0MS17010 option to scan for SMB vulnerabilities associated with\u00a0[CVE-2017-0143](https://nvd.nist.gov/vuln/detail/CVE-2017-0143 \"CVE-2017-0143\") and\u00a0[CVE-2017-0144](https://nvd.nist.gov/vuln/detail/CVE-2017-0144 \"CVE-2017-0144\").\n\ngithub\\[.\\]com/k8gege/Ladon\n\nWeb Shell\n\nA backdoor installed on a web server that allows for the execution of commands and facilitates persistent access.\n\nSlight variation of github\\[.\\]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx\n\n_Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity_\n\nFile name\n\nMD5 File Hash\n\nCring.exe\n\nc5d712f82d5d37bb284acd4468ab3533\n\nGhost.exe\n\n34b3009590ec2d361f07cac320671410\n\nd9c019182d88290e5489cdf3b607f982\n\nElysiumO.exe\n\n29e44e8994197bdb0c2be6fc5dfc15c2\n\nc9e35b5c1dc8856da25965b385a26ec4\n\nd1c5e7b8e937625891707f8b4b594314\n\nLocker.exe\n\nef6a213f59f3fbee2894bd6734bbaed2\n\niex.txt, pro.txt (IOX)\n\nac58a214ce7deb3a578c10b97f93d9c3\n\nx86.log (IOX)\n\nc3b8f6d102393b4542e9f951c9435255\n\n0a5c4ad3ec240fbfd00bdc1d36bd54eb\n\nsp.txt (IOX)\n\nff52fdf84448277b1bc121f592f753c5\n\nmain.txt (IOX)\n\na2fd181f57548c215ac6891d000ec6b9\n\nisx.txt (IOX)\n\n625bd7275e1892eac50a22f8b4a6355d\n\nsock.txt (IOX)\n\ndb38ef2e3d4d8cb785df48f458b35090\n\n### Ransom Email Addresses\n\n**Table 3** is a subset of ransom email addresses that have been included in Ghost ransom notes.\n\n_Table\u00a03: Ransom Email Addresses_\n\nEmail Addresses\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n[\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection)\n\n### Ransom Notes\n\nStarting approximately in August 2024, Ghost actors began using TOX IDs in ransom notes as an alternative method for communicating with victims. For example:\u00a0EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA and\u00a0E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B.\n\n**MITRE ATT&CK Tactics and Techniques**\n---------------------------------------\n\nSee **Table 4\u00a0to\u00a0Table 13**\u00a0for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, version 16.1, see CISA and MITRE ATT&CK\u2019s [Best Practices for MITRE ATT&CK Mapping](https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping \"Best Practices for MITRE ATT&CK Mapping\") and CISA\u2019s [Decider Tool](https://github.com/cisagov/Decider/ \"Decider Tool\").\n\n_Table\u00a04: Initial Access_\n\nTechnique Title\u00a0\n\nID\n\nUse\n\nExploit Public-Facing Application\n\n[T1190](https://attack.mitre.org/versions/v16/techniques/T1190/ \"Exploit Public-Facing Application\")\n\nGhost actors exploit multiple vulnerabilities in public-facing systems to gain initial access to servers.\n\n_Table\u00a05: Execution_\n\nTechnique Title\u00a0\n\nID\n\nUse\n\nWindows Management Instrumentation\n\n[T1047](https://attack.mitre.org/versions/v16/techniques/T1047/ \"Windows Management Instrumentation\")\n\nGhost actors abuse WMI to run PowerShell scripts on other devices, resulting in their infection with Cobalt Strike Beacon malware.\n\nPowerShell\n\n[T1059.001](https://attack.mitre.org/versions/v16/techniques/T1059/001/ \"Command and Scripting Interpreter: PowerShell\")\n\nGhost actors use PowerShell for various functions including to deploy Cobalt Strike.\n\nWindows Command Shell\n\n[T1059.003](https://attack.mitre.org/techniques/T1059/003/ \"Command and Scripting Interpreter: Windows Command Shell\")\n\nGhost actors use the Windows Command Shell to download malicious content on to victim servers.\n\n_Table\u00a06: Persistence_\n\nTechnique Title\u00a0\n\nID\n\nUse\n\nAccount Manipulation\n\n[T1098](https://attack.mitre.org/versions/v16/techniques/T1098/ \"Account Manipulation\")\n\nGhost actors change passwords for already established accounts.\n\nLocal Account\n\n[T1136.001](https://attack.mitre.org/versions/v16/techniques/T1136/001/ \"Create Account: Local Account\")\n\nGhost actors create new accounts or makes modifications to local accounts.\n\nDomain Account\n\n[T1136.002](https://attack.mitre.org/versions/v16/techniques/T1136/002/ \"Create Account: Domain Account\")\n\nGhost actors create new accounts or makes modifications to domain accounts.\n\nWeb Shell\n\n[T1505.003](https://attack.mitre.org/versions/v16/techniques/T1505/003/ \"Server Software Component: Web Shell\")\n\nGhost actors upload web shells to victim servers to gain access and for persistence.\n\n_Table\u00a07: Privilege Escalation_\n\nTechnique Title\u00a0\n\nID\n\nUse\n\nExploitation for Privilege Escalation\n\n[T1068](https://attack.mitre.org/versions/v16/techniques/T1068/ \"Exploitation for Privilege Escalation\")\n\nGhost actors use a suite of open source tools in an attempt to gain elevated privileges through exploitation of vulnerabilities.\n\nToken Impersonation/Theft\n\n[T1134.001](https://attack.mitre.org/versions/v16/techniques/T1134/001/ \"Access Token Manipulation: Token Impersonation/Theft\")\n\nGhost actors use Cobalt Strike to steal process tokens of processes running at a higher privilege.\n\n_Table\u00a08: Defense Evasion_\n\nTechnique Title\u00a0\n\nID\n\nUse\n\nApplication Layer Protocol: Web Protocols\n\n[T1071.001](https://attack.mitre.org/versions/v16/techniques/T1071/001/ \"Application Layer Protocol: Web Protocols\")\n\nGhost actors use HTTP and HTTPS protocols while conducting C2 operations.\u00a0\n\nImpair Defenses: Disable or Modify Tools\n\n[T1562.001](https://attack.mitre.org/versions/v16/techniques/T1562/001/ \"Impair Defenses: Disable or Modify Tools\")\n\nGhost actors disable antivirus products.\n\nHidden Window\n\n[T1564.003](https://attack.mitre.org/versions/v16/techniques/T1564/003/ \"Hide Artifacts: Hidden Window\")\n\nGhost actors use PowerShell to conceal malicious content within legitimate appearing command windows.\n\n_Table\u00a09: Credential Access_\n\nTechnique Title\u00a0\n\nID\n\nUse\n\nOS Credential Dumping\n\n[T1003](https://attack.mitre.org/versions/v16/techniques/T1003/ \"OS Credential Dumping\")\n\nGhost actors use Mimikatz and the Cobalt Strike \u201chashdump\u201d command to collect passwords and password hashes.\n\n_Table\u00a010: Discovery_\n\nTechnique Title\u00a0\n\nID\n\nUse\n\nRemote System Discovery\n\n[T1018](https://attack.mitre.org/versions/v16/techniques/T1018/ \"Remote System Discovery\")\n\nGhost actors use tools like Ladon 911 and ShapNBTScan for remote systems discovery.\n\nProcess Discovery\n\n[T1057](https://attack.mitre.org/versions/v16/techniques/T1057/ \"Process Discovery\")\n\nGhost actors run a\u00a0ps command to list running processes on an infected device.\n\nDomain Account Discovery\n\n[T1087.002](https://attack.mitre.org/techniques/T1087/002 \"Account Discovery: Domain Account\")\n\nGhost actors run commands such as\u00a0net group \u201cDomain Admins\u201d /domain to discover a list of domain administrator accounts.\n\nNetwork Share Discovery\n\n[T1135](https://attack.mitre.org/versions/v16/techniques/T1135/ \"Network Share Discovery\")\n\nGhost actors use various tools for network share discovery for the purpose of host enumeration.\n\nSoftware Discovery\n\n[T1518](https://attack.mitre.org/versions/v16/techniques/T1518/ \"Software Discovery\")\n\nGhost actors use their access to determine which antivirus software is running.\n\nSecurity Software Discovery\n\n[T1518.001](https://attack.mitre.org/versions/v16/techniques/T1518/001/ \"Software Discovery: Security Software Discovery\")\n\nGhost actors run Cobalt Strike to enumerate running antivirus software.\n\n_Table\u00a011: Exfiltration_\n\nTechnique Title\u00a0\n\nID\n\nUse\n\nExfiltration Over C2 Channel\n\n[T1041](https://attack.mitre.org/versions/v16/techniques/T1041/ \"Exfiltration Over C2 Channel\")\n\nGhost actors use both web shells and Cobalt Strike to exfiltrate limited data.\n\nExfiltration to Cloud Storage\n\n[T1567.002](https://attack.mitre.org/versions/v16/techniques/T1567/002/ \"Exfiltration Over Web Service: Exfiltration to Cloud Storage\")\n\nGhost actors sometimes use legitimate cloud storage providers such as\u00a0Mega.nz for malicious exfiltration operations.\n\n_Table\u00a012: Command and Control_\n\nTechnique Title\u00a0\n\nID\n\nUse\n\nWeb Protocols\n\n[T1071.001](https://attack.mitre.org/versions/v16/techniques/T1071/001/ \"Application Layer Protocol: Web Protocols\")\n\nGhost actors use Cobalt Strike Beacon malware and Cobalt Strike Team Servers which communicate over HTTP and HTTPS.\n\nIngress Tool Transfer\n\n[T1105](https://attack.mitre.org/versions/v16/techniques/T1105/ \"Ingress Tool Transfer\")\n\nGhost actors use Cobalt Strike Beacon malware to deliver ransomware payloads to victim servers.\n\nStandard Encoding\n\n[T1132.001](https://attack.mitre.org/versions/v16/techniques/T1132/001/ \"Data Encoding: Standard Encoding\")\n\nGhost actors use PowerShell commands to encode network traffic which reduces their likelihood of being detected during lateral movement.\n\nEncrypted Channel\n\n[T1573](https://attack.mitre.org/versions/v16/techniques/T1573/ \"Encrypted Channel\")\n\nGhost actors use encrypted email platforms to facilitate communications.\u00a0\n\n_Table\u00a013: Impact_\n\nTechnique Title\u00a0\n\nID\n\nUse\n\nData Encrypted for Impact\n\n[T1486](https://attack.mitre.org/techniques/T1486 \"Data Encrypted for Impact\")\n\nGhost actors use ransomware variants\u00a0Cring.exe, Ghost.exe, ElysiumO.exe, and\u00a0Locker.exe to encrypt victim files for ransom.\n\nInhibit System Recovery\n\n[T1490](https://attack.mitre.org/versions/v16/techniques/T1490/ \"Inhibit System Recovery\")\n\nGhost actors delete volume shadow copies.\n\n**Mitigations**\n---------------\n\nThe FBI, CISA, and MS-ISAC recommend organizations reference their [#StopRansomware Guide](https://www.cisa.gov/stopransomware/ransomware-guide \"#StopRansomware Guide\") and implement the mitigations below to improve cybersecurity posture on the basis of the Ghost ransomware activity. These mitigations align with the [Cross-Sector Cybersecurity Performance Goals (CPGs)](https://www.cisa.gov/cross-sector-cybersecurity-performance-goals \"Cross-Sector Cybersecurity Performance Goals (CPGs)\") developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA\u2019s [CPGs webpage](https://www.cisa.gov/cpg \"CPGs webpage\") for more information on the CPGs, including additional recommended baseline protections.\n\n*   **Maintain regular system backups** that are known-good and stored offline or are segmented from source systems \\[[CPG 2.R](https://www.cisa.gov/cybersecurity-performance-goals-cpgs#SystemBackups2R \"System Backups (2.R)\")\\]. Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to restore operations without needing to contact Ghost actors or pay a ransom.\n*   **Patch known vulnerabilities\u00a0by**\u00a0applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe \\[[CPG 1.E](https://www.cisa.gov/cybersecurity-performance-goals-cpgs#MitigatingKnownVulnerabilities1E \"Mitigating Known Vulnerabilities (1.E)\")\\].\n*   **Segment networks\u00a0to restrict lateral movement from initial infected devices and other devices in the same organization\u00a0\\[**[CPG 2.F](https://www.cisa.gov/cybersecurity-performance-goals-cpgs#NetworkSegmentation2F \"Network Segmentation (2.F)\")**\\].**\n*   **Require**\u00a0[**Phishing-Resistant MFA**](https://www.cisa.gov/MFA \"Phishing-Resistant MFA\") **for access to all privileged accounts and email services accounts.**\n*   **Train users to recognize phishing attempts.**\n*   **Monitor for unauthorized use of PowerShell. Ghost actors leverage PowerShell for malicious purposes, although it is often a helpful tool that is used by administrators and defenders to manage system resources. For more information, visit NSA and CISA\u2019s**\u00a0[joint guidance](https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/1/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF \"joint guidance\") **on PowerShell best practices.**\n    *   Implement the principle of least privilege when granting permissions so that employees who require access to PowerShell are aligned with organizational business requirements.\n*   **Implement allowlisting**\u00a0for applications, scripts, and network traffic to prevent unauthorized execution and access \\[[CPG 3.A](https://www.cisa.gov/cybersecurity-performance-goals-cpgs#DetectingRelevantThreatsandTTPs3A \"Detecting Relevant Threats and TTPs (3.A)\")\\].\n*   **Identify, alert on, and investigate abnormal network activity. Ransomware activity generates unusual network traffic across all phases of the attack chain. This includes running scans to discover other network connected devices, running commands to list, add, or alter administrator accounts, using PowerShell to download and execute remote programs, and running scripts not usually seen on a network. Organizations that can successfully identify and investigate this activity are better able to interrupt malicious activity before ransomware is executed \\[**[CPG 3.A](https://www.cisa.gov/cybersecurity-performance-goals-cpgs#DetectingRelevantThreatsandTTPs3A \"Detecting Relevant Threats and TTPs (3.A)\")**\\].**\n    *   Ghost actors run a significant number of commands, scripts, and programs that IT administrators would have no legitimate reason for running. Victims who have identified and responded to this unusual behavior have successfully prevented Ghost ransomware attacks.\n*   **Limit exposure of services by disabling unused ports** such as, RDP 3398, FTP 21, and SMB 445, and restricting access to essential services through securely configured VPNs or firewalls.\n*   **Enhance email security** by implementing advanced filtering, blocking malicious attachments, and enabling DMARC, DKIM, and SPF to prevent spoofing \\[[CPG 2.M](https://www.cisa.gov/cybersecurity-performance-goals-cpgs#EmailSecurity2M \"Email Security (2.M)\")\\].\n\n**Validate Security Controls**\n------------------------------\n\nIn addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization\u2019s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.\n\nTo get started:\n\n1.  Select an ATT&CK technique described in this advisory (see **Table 3** to **Table 13**).\n2.  Align your security technologies against the technique.\n3.  Test your technologies against the technique.\n4.  Analyze your detection and prevention technologies\u2019 performance.\n5.  Repeat the process for all security technologies to obtain a set of comprehensive performance data.\n6.  Tune your security program, including people, processes, and technologies, based on the data generated by this process.\n\n**Reporting**\n-------------\n\nYour organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.\n\nThe FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files.\n\nAdditional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and network-based indicators.\n\nThe FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI\u2019s [Internet Crime Complain Center (IC3)](https://www.ic3.gov/Home/ComplaintChoice \"Internet Crime Complain Center (IC3)\"), a [local FBI Field Office](https://www.fbi.gov/contact-us/field-offices \"local FBI Field Office\"), or CISA via the agency\u2019s [Incident Reporting System](https://www.cisa.gov/report \"Incident Reporting System\") or its 24/7 Operations Center ([\\[email\u00a0protected\\]](/cdn-cgi/l/email-protection#ea988f9a85989eaa8983998bc48d859cc38598 \"Report to CISA\")) or by calling 1-844-Say-CISA (1-844-729-2472).\n\n**Disclaimer**\n--------------\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC.\n\n**Version History**\n-------------------\n\n**February 19, 2025:** Initial version.\n\nThis product is provided subject to this\u00a0[Notification](/notification \"Follow link\")\u00a0and this\u00a0[Privacy & Use](/privacy-policy \"Follow link\")\u00a0policy.\n\n### Tags\n\n**Advisory CVE**: [CVE-2009-3960](https://nvd.nist.gov/vuln/detail/CVE-2009-3960), [CVE-2010-2861](https://nvd.nist.gov/vuln/detail/CVE-2010-2861), [CVE-2018-13379](https://nvd.nist.gov/vuln/detail/CVE-2018-13379), [CVE-2019-0604](https://nvd.nist.gov/vuln/detail/CVE-2019-0604), [CVE-2021-31207](https://nvd.nist.gov/vuln/detail/CVE-2021-31207), [CVE-2021-34473](https://nvd.nist.gov/vuln/detail/CVE-2021-34473), [CVE-2021-34523](https://nvd.nist.gov/vuln/detail/CVE-2021-34523)\n\n**Audience**: Educational Institutions, Faith-Based Community, Industry, Small and Medium Businesses\n\n**Co-Sealers and Partners**: Federal Bureau of Investigation, Multi-State Information Sharing and Analysis Center\n\n**MITRE ATT&CK TTP**: Command and Control (TA0011), Credential Access (TA0006), Defense Evasion (TA0005), Discovery (TA0007), Execution (TA0002), Exfiltration (TA0010), Impact (TA0040), Initial Access (TA0001), Lateral Movement (TA0008), Persistence (TA0003), Privilege Escalation (TA0004)\n", "creation_timestamp": "2025-03-03T08:51:11.190614+00:00", "timestamp": "2025-03-03T08:51:58.533562+00:00", "related_vulnerabilities": ["CVE-2014-1812", "CVE-2020-1472", "CVE-2019-0604", "CVE-2010-2861", "CVE-2017-0144", "CVE-2018-13379", "CVE-2021-31207", "CVE-2017-0143", "CVE-2021-34473", "CVE-2009-3960", "CVE-2021-34523"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}