The U.S. Cybersecurity and Infrastructure Agency, along with the Federal Bureau of Investigation and the Multi-State Information Sharing and Analysis Center, has issued a joint advisory warning of the activities of Ghost ransomware, also known as Cling.

The group behind Ghost ransomware allegedly operates out of China and has targeted organizations in more than 70 countries, including critical infrastructure, schools, healthcare, government networks and businesses, for financial gain.

Ghost ransomware operates by exploiting unpatched vulnerabilities in widely used software to gain unauthorized access to targeted systems. Upon gaining access to targeted systems, the attackers deploy web shells and use command-line tools to establish persistence, escalate privileges and move laterally within the network.

Those behind the ransomware commonly leverage vulnerabilities in Fortinet, Adobe ColdFusion, Microsoft SharePoint and Microsoft Exchange, known as ProxyShell, to breach systems.

Ghost ransomware is known for its rapid execution, encrypting files within hours of initial access. After gaining control, the attackers deploy Cobalt Strike Beacon malware and use open-source tools to disable security defenses and prepare for the final ransomware payload, allowing them to lock down critical files and render them inaccessible to victims.

Typical of modern-day ransomware operations, Ghost ransomware doesn’t only encrypt files but also exfiltrates data before launching the attack to set up a double-tap situation: Victims are told that if they don’t pay the ransom demands, their data will be released along with remaining encrypted. Notably, though, the advisory states that the actual amount of data exfiltrated is relatively small, suggesting that data theft may serve more as a psychological pressure tactic than a core operational strategy.

The ransom demands from the Ghost group can range from tens of thousands to hundreds of thousands of dollars, typically payable in cryptocurrency. Victims receive a ransom note instructing them on how to contact the attackers and make payment in exchange for a decryption tool.

The advisory from CISA, FBI and MS-ISAC, issued Wednesday, stresses the need to take proactive defense measures against Ghost ransomware and other types of ransomware. Organizations are urged to promptly apply security patches, particularly for known vulnerabilities the group exploits. Additionally, network segmentation and restricting access to critical systems can help prevent lateral movement in the event of an initial breach.

Darren Guccione, co-founder and chief executive of cybersecurity software startup Keeper Security Inc., told SiliconANGLE via email that “the Ghost ransomware campaign highlights the persistent reality that adversaries exploit known vulnerabilities faster than many organizations can patch them” and that the advisory “reinforces the critical need for proactive risk management – security leaders must ensure that software, firmware and identity systems are continuously updated and hardened against exploitation.”

Image: SiliconANGLE/Grok 3