The United States Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), in partnership with the Multi-State Information Sharing and Analysis Center (MS-ISAC), recently released a joint Cybersecurity Advisory warning of a global surge in Ghost ransomware attacks. The advisory details common Ghost indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) in order to raise awareness and help protect against these attacks.
Ghost ransomware plays a significant role in the global threat landscape as it poses a threat to critical infrastructure, healthcare, government institutions, and more. Organizations across many industries in over 70 countries have been compromised by Ghost actors exploiting vulnerabilities in unpatched software. These attacks use sophisticated methods to disseminate ransomware to a wide range of targets, leading to potentially catastrophic consequences for organizations.
Understanding Ghost Ransomware’s Attack Tactics
The threat actors in Ghost ransomware attacks around the world have exploited vulnerabilities of outdated software and firmware in internet-facing services. They use a variety of tactics to obtain initial access, including web shells, Cobalt Strike beacons, and open-source network infiltration tools. Leveraging publicly available code and known vulnerabilities, Ghost actors can gain unauthorized access to an organization’s network to carry out their attacks.
Once they have infiltrated the organization, Ghost actors use methods of lateral movement and privilege escalation to gain access to more and more sensitive systems and resources. Abusing Cobalt Strike functions to steal process tokens or leveraging open-source tools can enable attackers to impersonate legitimate users and elevate their privileges. With elevated access, they can run PowerShell commands on other systems within the network. The process of this execution moves rapidly from initial infiltration to ransomware deployment, demonstrating the challenges of detecting the intrusion before it can do real damage.
Industries and Organizations Impacted
The recently observed Ghost ransomware attacks have targeted a wide range of sectors across many countries. There have been observed Ghost ransomware attacks on critical infrastructure—including energy, transportation, and healthcare—as well as government agencies, educational and religious institutions, and technology companies. These are often crucial organizations that handle and store vast amounts of highly sensitive data, so ransomware attacks can cause catastrophic harm to these organizations.
A number of small and medium-sized businesses have also been targeted in Ghost ransomware attacks. They serve as a vulnerable target for threat actors to take advantage of, as they often lack the in-house resources to maintain robust security strategies. A ransomware attack can pose an existential threat to smaller businesses that cannot afford to remediate and recover from such an event.
The Advanced Techniques Behind Ghost Ransomware
Ghost ransomware attackers rely on a variety of sophisticated tactics to carry out their attacks, from initial access onward. These tactics include:
- Using built-in Cobalt Strike functions to collect passwords and password hashes, enabling them to gain unauthorized access and escalate privileges.
- Executing commands to disable security tools such as Windows Defender and evade detection.
- Manipulating user accounts, such as by creating new accounts or changing passwords after gaining unauthorized access.
- Leveraging open-source tools for domain and network reconnaissance, including network share discovery and remote systems discovery.
Mitigation Strategies and Cyber Defense Measures
Preventing Ghost ransomware attacks requires dedicated effort to build and maintain an effective security strategy. These attacks have leveraged outdated known vulnerabilities in legacy applications, which “reinforces the critical need for proactive risk management – security leaders must ensure that software, firmware and identity systems are continuously updated and hardened against exploitation,” says Darren Guccione, CEO and Co-Founder at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software.
Beyond keeping up with software patches, organizations are encouraged to take steps to proactively mitigate the risks associated with Ghost ransomware attacks. Implementing strong identity and access management is essential to limit the systems that threat actors can infiltrate. Measures like “multi-factor authentication, a zero-trust framework and least-privilege access controls” can stop lateral movement and privilege escalation, according to Guccione. Enhanced endpoint security and network segmentation can also help with the detection and containment of these threats.
Organizations should also be sure to leverage threat intelligence and deploy proactive monitoring tools to meet new and evolving threats as they arise, detect system intrusions, and mitigate ransomware risks. Finally, employee cybersecurity awareness and training are crucial to protect organizations against infiltration via social engineering and other methods that take advantage of the human element.
The Global Cybersecurity Implications
The rising trend of ransomware attacks targeting critical infrastructure and vital industries has disturbing implications for the global cybersecurity landscape. Threat actors have always attempted to attack sensitive resources with ransomware, but the recent increase in Ghost ransomware attacks demonstrates attackers’ dedication to endangering highly sensitive data and operations.
In order to effectively protect against threats like these ransomware attacks, government agencies and both public and private organizations must work together on cyber defense initiatives. A collaborative and cooperative effort is necessary to protect organizations across the globe in all industries against potentially catastrophic ransomware attacks. The attacks that have been ramping up in recent years are already sophisticated and pose many challenges, and ransomware attacks will likely continue to evolve to evade security measures and obtain bigger payouts.
Conclusion
The joint advisory published by the CISA, FBI, and MS-ISAC details trends in Ghost ransomware attacks observed around the globe, providing IoCs and TTPs to offer guidance on detecting and preventing these attacks. It stresses the importance of recognizing and understanding the technical details of the attacks, including IoCs and TTPs, and taking proactive measures to mitigate risks and prevent attacks.
Organizations must urgently prioritize defending their systems against ransomware attacks, from endpoint protection solutions to employee security awareness training. Enhancing cybersecurity resilience requires a robust and layered security strategy that accounts for the complexities of modern threats, protecting against attacks with proactive measures and secure policies.
