The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Ghost (Cring) Ransomware

Feb 24, 2025 11:57:27 AM / by The Hivemind

GHOSTCRINGVerticals Targeted: Healthcare, Government, Education, Technology, Manufacturing, SMBs

Executive Summary

Ghost, also known as Cring, is a ransomware family that has been active since at least late 2020. A recent uptick in Ghost activity prompted US agencies to release a joint cybersecurity advisory on Ghost.

Key Takeaways

  • Ghost, also known as Cring, is a ransomware family that has been active since at least late 2020. 
  • A recent uptick in Ghost activity prompted US agencies to release a joint cybersecurity advisory on Ghost. 
  • The Ghost infection chain is known to exploit multiple vulnerabilities in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange.

What is Ghost?

Ghost, also known as Cring, is a ransomware family that has been active since at least late 2020. A recent uptick in Ghost activity, targeting multiple verticals in over 70 countries, prompted CISA, the FBI, and MS-ISAC to release a joint cybersecurity advisory on Ghost. 

Ghost is known to target multiple verticals, including healthcare, government, education, technology, manufacturing, and small to medium-sized businesses (SMBs). However, based on the joint cybersecurity advisory, it appears the ransomware targets opportunistically. 

The Ghost infection chain is known to exploit multiple vulnerabilities including those affecting the following products and services:

Malware or tools associated with this activity include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, Rapture, and ElysiumO. The threat actors behind this activity were also observed using Mimikatz and CobaltStrike on compromised machines prior to dropping the ransomware payloads. The threat actors focus on swift movement in the victim network, rather than maintaining persistence. 

The threat actors behind Ghost use multiple email services to communicate with victims, including Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence. They also use Tox chat to communicate with victims. They attempt to use a double extortion tactic, demanding a ransom to restore encrypted files and threatening to sell data if the ransom is not paid. However, in reality they do not appear to exfiltrate a significant amount of data. According to the advisory, the threat actors behind Ghost are thought to be of China nexus.

IOCs

PolySwarm has multiple samples associated with this activity.

 

f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8

c8acd8e65b46c86d0d01e961358bc6ab9aec70f90a57829aa15e39add536b5c8

0500c9d0b91e62993447cdcf5f691092aff409eca24080ce149f34e48a0445e0

 

You can use the following CLI command to search for all Ghost-related samples in our portal:

$ polyswarm link list -f Ghost

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Ransomware, Ghost, Cring

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More