FBI and CISA Warn Against Ghost Ransomware in Latest Advisory

On February 19th, 2025, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint warning about the significant threat posed by the Ghost ransomware group.  

This marks CISA's first #StopRansomware publication of the year, following their August 2024 RansomHub report. Given the rise in disruptive ransomware attacks, CISA emphasizes the urgent need for organizations to enhance their cybersecurity measures and has released detailed guidelines to help detect and defend against this threat.

The Ghost ransomware group first emerged in early 2021 and has steadily escalated its operations, targeting businesses and critical infrastructure across more than 70 countries. Known for its adaptive tactics and relentless focus on exploiting vulnerabilities in outdated systems, the group has become one of the most dangerous ransomware threats in the global cybersecurity landscape.

According to the February 2025 advisory, the Ghost ransomware group has been actively operating since its first appearance in 2021. The advisory reports their most recent attacks occurred in January of this year. Throughout their operations, they have consistently evolved their tactics and tools to evade contemporary cybersecurity measures, making them an increasingly sophisticated threat.  

The group frequently rotates its malware executables, modifies ransom notes, and changes encrypted file extensions, making it difficult for organizations to track and mitigate their attacks. In addition, the group uses multiple email addresses for ransom communications, further complicating attribution efforts.  

One of the key factors contributing to the group's success is the widespread failure of organizations to patch known vulnerabilities. Many of the CVEs exploited by Ghost ransomware have been publicly disclosed for years, yet they remain unpatched in numerous systems.

Methods and Tactics

As pointed out in the publication, Ghost employs sophisticated tactics to breach systems and carry out attacks. Their primary method involves exploiting publicly available code to target Common Vulnerabilities and Exposures (CVEs) in internet-facing systems.

Key vulnerabilities exploited include:

• Fortinet FortiOS (CVE-2018-13379): A vulnerability in SSL VPNs that allows unauthenticated attackers to access system files.

• Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960): Older vulnerabilities that remain unpatched in certain systems, providing an entry point for attackers.

• Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207): Security weaknesses that allow attackers to execute arbitrary commands or gain elevated privileges within the system.

The group uses Cobalt Strike Beacon malware, PowerShell, and web shells to carry out attacks. These tools enable them to maintain access, gain higher privileges, and spread through compromised networks. Once they achieve full system access, the attackers deploy their ransomware executables:

• Initial Compromise: The threat actors first breach networks by exploiting vulnerabilities in public-facing applications previously discussed.

• Persistence Establishment: After gaining access, the actors deploy web shells and Cobalt Strike malware while establishing persistent access through account manipulation and credential harvesting.

• Privilege Escalation and Network Reconnaissance: Using advanced tools like SharpZeroLogon and custom utilities, the actors elevate privileges and map the network while disabling security controls.

• Lateral Movement and Data Exfiltration: The group uses compromised credentials and administrative access to expand their network presence while transferring targeted data to their command and control infrastructure.

• Impact and Encryption: The operation culminates in deploying ransomware executables, including Cring.exe and Ghost.exe, leading to system-wide encryption, backup deletion, and ransom demands.

To help organizations detect and respond to Ghost ransomware, CISA has included a comprehensive list of Indicators of Compromise (IOCs) on their advisory site.

Organizational Risk

Falling victim to ransomware attacks can severely disrupt organizations. When critical files and systems are encrypted, business operations grind to a halt. This poses particular dangers in healthcare and government sectors, where system downtime directly affects human lives.  

For instance, when hospitals lose access to patient records or vital medical equipment, they must delay treatments and switch to manual systems, severely limiting their ability to deliver proper patient care and potentially putting lives at risk.

The financial toll of these attacks could prove to be devastating. Ransom demands can range from thousands to millions of dollars, with the average ransom payment being $900,000, and paying the ransom offers no guarantee that attackers will provide working decryption keys. Organizations must also shoulder substantial recovery costs, from incident response and forensic investigations to complete system restoration.

Beyond the operational and financial damage, ransomware attacks can also inflict long-term reputational harm. Organizations that fail to protect sensitive data may lose the trust of their customers, partners, and stakeholders, leading to lasting consequences for their businesses.

Takeaway

Looking at Ghost ransomware's impact teaches us two vital lessons about modern cybersecurity. Many attacks succeed simply because organizations haven't patched known vulnerabilities. This is a reminder that basic system maintenance remains our first line of defense.  

Beyond that, we're seeing how coordinated threat intelligence sharing between government agencies, cybersecurity firms, and private businesses creates a powerful shield against these threats. When organizations work together and share their experiences with law enforcement, everyone becomes better equipped to spot and stop these attacks before they spread.

The joint advisory is a wake-up call for organizations around the world. Ghost ransomware represents a clear and present danger to businesses and critical infrastructure, and the consequences of inaction can be catastrophic.

To protect against the threat actor, the agency has provided several actionable recommendations: deploying dedicated anti-ransomware solutions, maintaining regular backups, patching known vulnerabilities, implementing network segmentation, enforcing multifactor authentication (MFA), and conducting regular security audits.  

Following these recommendations can significantly reduce an organization's risk of falling victim to Ghost ransomware and other similar threats.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.