Ghost (Cring) Ransomware

Verticals Targeted: Healthcare, Government, Education, Technology, Manufacturing, SMBs

Executive Summary

Ghost, also known as Cring, is a ransomware family that has been active since at least late 2020. A recent uptick in Ghost activity prompted US agencies to release a joint cybersecurity advisory on Ghost.

Key Takeaways

• Ghost, also known as Cring, is a ransomware family that has been active since at least late 2020. 
• A recent uptick in Ghost activity prompted US agencies to release a joint cybersecurity advisory on Ghost. 
• The Ghost infection chain is known to exploit multiple vulnerabilities in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange.

What is Ghost?

Ghost, also known as Cring, is a ransomware family that has been active since at least late 2020. A recent uptick in Ghost activity, targeting multiple verticals in over 70 countries, prompted CISA, the FBI, and MS-ISAC to release a joint cybersecurity advisory on Ghost. 

Ghost is known to target multiple verticals, including healthcare, government, education, technology, manufacturing, and small to medium-sized businesses (SMBs). However, based on the joint cybersecurity advisory, it appears the ransomware targets opportunistically. 

The Ghost infection chain is known to exploit multiple vulnerabilities including those affecting the following products and services:

• Fortinet FortiOS (CVE-2018-13379)
• Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960)
• Microsoft SharePoint (CVE-2019-0604)
• Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

Malware or tools associated with this activity include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, Rapture, and ElysiumO. The threat actors behind this activity were also observed using Mimikatz and CobaltStrike on compromised machines prior to dropping the ransomware payloads. The threat actors focus on swift movement in the victim network, rather than maintaining persistence. 

The threat actors behind Ghost use multiple email services to communicate with victims, including Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence. They also use Tox chat to communicate with victims. They attempt to use a double extortion tactic, demanding a ransom to restore encrypted files and threatening to sell data if the ransom is not paid. However, in reality they do not appear to exfiltrate a significant amount of data. According to the advisory, the threat actors behind Ghost are thought to be of China nexus.

IOCs

PolySwarm has multiple samples associated with this activity.

f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8

c8acd8e65b46c86d0d01e961358bc6ab9aec70f90a57829aa15e39add536b5c8

0500c9d0b91e62993447cdcf5f691092aff409eca24080ce149f34e48a0445e0

You can use the following CLI command to search for all Ghost-related samples in our portal:

$ polyswarm link list -f Ghost

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.