Feb 14, 2025
Dark Web Profile: Ghost (Cring) Ransomware
In February 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), released a joint advisory detailing the Tactics, Techniques, and Procedures (TTPs) of Ghost (Cring) ransomware. Active since at least 2021, this ransomware primarily targets organizations with vulnerable internet-facing systems, exploiting outdated software and weak security configurations.
Who is Ghost Ransomware?
Ghost (Cring) ransomware is a financially motivated threat actor known for targeting vulnerable networks to encrypt critical data and demand ransoms. First identified in attacks exploiting unpatched systems, the group primarily focuses on industries with high operational dependencies. Ghost (Cring) operators use advanced evasion techniques to avoid detection, making them a persistent threat across multiple sectors.
Threat Actor card of Ghost Ransomware
What Are Their Targets?
Ghost (Cring) ransomware primarily targets industries with critical data and operational dependencies, aiming to cause maximum disruption and pressure victims into paying ransoms.
Healthcare & Financial Services
Hospitals and medical institutions face attacks due to sensitive patient records and operational reliance, while financial institutions are targeted for their vast stores of customer and transaction data.
Government & Critical Infrastructure
Government agencies and national infrastructure providers, such as energy and utility companies, are frequent targets, with attacks leading to data breaches and service disruptions.
Manufacturing & Industrial Sectors
Ghost (Cring) exploits vulnerabilities in industrial control systems, halting production lines and disrupting supply chains. Many organizations in this sector rely on outdated or unpatched software, increasing their susceptibility.
Education & Professional Services
Schools, universities, and research institutions face risks due to valuable intellectual property and student records, while legal and accounting firms are targeted for their confidential client data.
Retail & E-commerce
Retailers, especially in e-commerce, are prime targets due to their payment processing systems and vast amounts of customer data. Attacks can disrupt sales and damage consumer trust.
What are Ghost Ransomware Tactics?
Ghost (Cring) ransomware employs a sophisticated and multi-stage attack methodology, beginning with initial access and moving through deployment, persistence, and encryption phases. According to CISA Advisory:
Initial Access and Exploitation
The first stage of a Ghost (Cring) attack begins with the exploitation of known vulnerabilities in internet-facing systems. One of the primary methods attackers use is targeting vulnerabilities in Fortinet’s FortiOS, particularly CVE-2018-13379, a critical directory traversal flaw in the SSL VPN service. Once they identify vulnerable systems, the attackers attempt to gain access by exploiting this vulnerability, which allows them to retrieve plaintext VPN credentials stored in the Fortinet devices. These credentials enable the attackers to log in remotely, bypassing the need for further authentication and significantly expanding the scope of the compromise.
After obtaining access to the compromised system, attackers move quickly to lateral movement, leveraging the stolen credentials to pivot within the network. By accessing different systems with these credentials, they expand their foothold in the target environment.
Deployment of Ransomware Payload
With access to the network, the attackers deploy the ransomware payload. Ghost (Cring) typically utilizes remote execution tools like PsExec or Windows Management Instrumentation (WMI) to install the ransomware on additional systems. These tools are used to remotely execute scripts that download and run the ransomware binary, often from a Command-and-Control (C2) server controlled by the attackers. The deployment of these tools allows the ransomware to spread rapidly across the network.
This stage is where the attackers begin to employ living-off-the-land tactics, using legitimate system tools to execute their malicious actions. This technique helps them avoid detection from traditional security measures, which are often focused on identifying executable files downloaded from external sources rather than monitoring the use of internal network tools.
Privilege Escalation and Lateral Movement
Once the ransomware payload has been deployed to multiple systems, Ghost (Cring) attempts to escalate privileges to gain administrative access, further deepening the attackers’ control. The ransomware may exploit misconfigured permissions, unpatched vulnerabilities, or even credential dumping techniques to elevate its access rights. Privilege escalation is critical for the success of the attack, as it allows the attackers to encrypt high-value data, such as databases and backup files, that might otherwise be restricted.
At this point, the attackers also engage in lateral movement, using the credentials they’ve harvested from the system to access other parts of the network. This phase can be slow and methodical as they search for systems that store critical information or are vital to the organization’s operations. The ransomware’s ability to spread across a network is what makes it so dangerous, and it’s during this phase that it can cause the most significant damage.
Process Termination and Anti-Detection Techniques
To maximize the impact of the encryption, Ghost (Cring) terminates critical processes before initiating the encryption process. The ransomware targets and stops services related to database management, security software, and system monitoring tools. By disabling these services, the ransomware ensures that its activity goes unnoticed and that the encryption process is carried out without interference.
In addition to process termination, Ghost (Cring) also employs anti-detection measures. The ransomware is designed to avoid detection by traditional security tools, which might flag the malicious activity. One of the methods it uses to avoid detection is by disabling Windows Defender and other security products on the infected machines. This action leaves the system more vulnerable to additional attacks, as well as prolonging the attacker’s control over the network.
File Encryption Process
Once the system has been compromised and security measures have been neutralized, Ghost (Cring) begins the encryption process. This is the most visible and damaging phase of the attack. The ransomware scans the infected system for files with specific extensions, typically focusing on business-critical documents and databases. Once it identifies a file, it encrypts it using a hybrid encryption system, utilizing AES-256 encryption for the file data and securing the encryption key with RSA-2048. This method ensures that even if the ransomware’s code is found and analyzed, the decryption key is still secure in the attacker’s hands.
The ransomware doesn’t stop there. After encrypting the files, Ghost (Cring) appends a unique extension to the affected files, making it immediately clear that they are no longer accessible. This is often followed by the dropping of a ransom note, which contains instructions on how the victim can pay the ransom in exchange for a decryption key. The ransomware authors typically demand payment in cryptocurrency, making it harder to trace the transactions.
Persistence Mechanisms
Ghost (Cring) is designed to remain on the infected systems for as long as possible, and to achieve this, it utilizes various persistence mechanisms. One common method is to create scheduled tasks that execute the ransomware payload every time the system restarts. This ensures that even if the victim tries to reboot the system in an attempt to stop the attack, the ransomware will reinitiate upon restart. Additionally, Ghost (Cring) often modifies system registries or deploys backdoors on the compromised systems. These backdoors allow attackers to maintain remote access even after the initial infection has occurred, giving them the ability to re-enter the system and potentially launch additional attacks.
Some variants of Ghost (Cring) may even use fileless techniques to persist on the system, executing code directly from memory without leaving traces on the disk. This makes detection and removal much more difficult, as traditional endpoint detection systems rely on finding malicious files on disk.
How to Mitigate?
Organizations can reduce the risk of Ghost ransomware attacks by implementing a multi-layered cybersecurity approach. The following measures are recommended:
- Network and Endpoint Security
- Deploy EDR/XDR Solutions: Utilize Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) to detect and prevent malicious activity.
- Network Segmentation: Limit lateral movement by segmenting networks and applying the principle of least privilege.
- Disable Unnecessary Services: Restrict or disable SMBv1, RDP, and other commonly exploited services.
- Monitor for Known IoCs: Continuously scan for IoCs, including file hashes, tools, and ransom email addresses associated with Ghost actors.
- Identity and Access Management
- Enforce Multi-Factor Authentication (MFA): Enable MFA for all remote access points and administrative accounts.
- Use Strong, Unique Passwords: Implement password policies that require complexity and periodic changes.
- Limit Privileged Access: Minimize administrative privileges and regularly review permissions.
- Software and Patch Management
- Patch Critical Vulnerabilities: Apply security patches, especially for CVE-2020-1472, CVE-2014-1812, and CVE-2017-0143/0144, which Ghost actors exploit.
- Keep Security Software Updated: Ensure antivirus, firewalls, and intrusion detection systems are up to date.
- Email and Web Security
- Filter Suspicious Emails: Implement email filtering to detect and block phishing attempts.
- Disable Macros and Executables in Emails: Prevent automatic execution of scripts and macros in attachments.
- Use DNS Filtering: Block access to known malicious domains and command-and-control (C2) infrastructure.
- Data Protection and Incident Response
- Regular Backups: Maintain offline, encrypted backups of critical data and test recovery procedures.
- Develop an Incident Response Plan: Establish a ransomware response strategy, including containment, eradication, and recovery steps.
- Monitor for Unauthorized File Encryption: Set up alerts for unusual file modifications and encryption patterns.
For further guidance on ransomware mitigation and response, organizations should refer to the Cybersecurity and Infrastructure Security Agency (CISA) resources. CISA provides best practices, alerts, and advisories to help organizations defend against ransomware threats. Visit CISA’s Stop Ransomware page for detailed recommendations and additional security measures.
How Can SOCRadar Help?
SOCRadar enhances ransomware defense with real-time Threat Intelligence & Dark Web Monitoring, providing early alerts on Ghost ransomware activity. Its Attack Surface Management identifies vulnerabilities, while Threat Hunting & IOC Feeds supply up-to-date indicators for proactive detection.
With SIEM/SOAR integration and MITRE ATT&CK mapping, SOCRadar strengthens automated threat detection and response. By leveraging its comprehensive monitoring, organizations can stay ahead of Ghost ransomware threats and minimize cyber risks.
SOCRadar’s Ransomware Intelligence
MITRE ATT&CK Tactics and Techniques of Ghost Ransomware
As provided by CISA’s advisory:
| Tactic | Technique Title | ID | Use |
| Initial Access | Exploit Public-Facing Application | T1190 | Ghost actors exploit multiple vulnerabilities in public-facing systems to gain initial access to servers. |
| Execution | Windows Management Instrumentation | T1047 | Ghost actors abuse WMI to run PowerShell scripts on other devices, infecting them with Cobalt Strike Beacon malware. |
| PowerShell | T1059.001 | Ghost actors use PowerShell for various functions, including deploying Cobalt Strike. | |
| Windows Command Shell | T1059.003 | Ghost actors use the Windows Command Shell to download malicious content onto victim servers. | |
| Persistence | Account Manipulation | T1098 | Ghost actors change passwords for already established accounts. |
| Local Account | T1136.001 | Ghost actors create new accounts or modify local accounts. | |
| Domain Account | T1136.002 | Ghost actors create new accounts or modify domain accounts. | |
| Web Shell | T1505.003 | Ghost actors upload web shells to victim servers for access and persistence. | |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Ghost actors use open-source tools to exploit vulnerabilities and gain elevated privileges. |
| Token Impersonation/Theft | T1134.001 | Ghost actors use Cobalt Strike to steal process tokens of higher-privileged processes. | |
| Defense Evasion | Application Layer Protocol: Web Protocols | T1071.001 | Ghost actors use HTTP and HTTPS for command and control (C2) operations. |
| Impair Defenses: Disable or Modify Tools | T1562.001 | Ghost actors disable antivirus products. | |
| Hidden Window | T1564.003 | Ghost actors use PowerShell to hide malicious activity within legitimate-looking command windows. | |
| Credential Access | OS Credential Dumping | T1003 | Ghost actors use Mimikatz and Cobalt Strike’s “hashdump” command to collect passwords and password hashes. |
| Discovery | Remote System Discovery | T1018 | Ghost actors use tools like Ladon 911 and ShapNBTScan to identify remote systems. |
| Process Discovery | T1057 | Ghost actors run ps commands to list running processes on infected devices. | |
| Domain Account Discovery | T1087.002 | Ghost actors use commands like net group “Domain Admins” /domain to discover domain administrator accounts. | |
| Network Share Discovery | T1135 | Ghost actors use various tools to enumerate network shares. | |
| Software Discovery | T1518 | Ghost actors check which antivirus software is running. | |
| Security Software Discovery | T1518.001 | Ghost actors run Cobalt Strike to enumerate security tools. | |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Ghost actors use web shells and Cobalt Strike to exfiltrate limited data. |
| Exfiltration to Cloud Storage | T1567.002 | Ghost actors sometimes use cloud storage providers like Mega.nz for data exfiltration. | |
| Command and Control | Web Protocols | T1071.001 | Ghost actors use Cobalt Strike Beacons and Team Servers over HTTP and HTTPS. |
| Ingress Tool Transfer | T1105 | Ghost actors use Cobalt Strike Beacons to deliver ransomware payloads. | |
| Standard Encoding | T1132.001 | Ghost actors encode network traffic with PowerShell to evade detection. | |
| Encrypted Channel | T1573 | Ghost actors use encrypted email platforms for communication. | |
| Impact | Data Encrypted for Impact | T1486 | Ghost actors use ransomware variants like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe to encrypt files for ransom. |
| Inhibit System Recovery | T1490 | Ghost actors delete volume shadow copies to prevent data recovery. |
IoC Tables for Ghost Ransomware
As provided by CISA:
Table 1: Tools Leveraged by Ghost Actors
| Name | Description | Source |
| Cobalt Strike | Penetration testing software used by Ghost actors in an unauthorized version. | N/A |
| IOX | Open-source proxy for establishing a reverse proxy to a Ghost C2 server. | github[.]com/EddieIvan01/iox |
| SharpShares.exe | Used to enumerate accessible network shares in a domain for host discovery. | github[.]com/mitchmoser/SharpShares |
| SharpZeroLogon.exe | Attempts to exploit CVE-2020-1472 against a target Domain Controller. | github[.]com/leitosama/SharpZeroLogon |
| SharpGPPPass.exe | Attempts to exploit CVE-2014-1812, targeting XML files containing passwords. | N/A |
| SpnDump.exe | Lists service principal name identifiers for service and hostname enumeration. | N/A |
| NBT.exe | Compiled version of SharpNBTScan, a NetBIOS scanner for hostname and IP enumeration. | github[.]com/BronzeTicket/SharpNBTScan |
| BadPotato.exe | Exploitation tool for privilege escalation. | github[.]com/BeichenDream/BadPotato |
| God.exe | Compiled version of GodPotato used for privilege escalation. | github[.]com/BeichenDream/GodPotato |
| HFS (HTTP File Server) | Portable web server used for hosting files for remote access and exfiltration. | rejitto[.]com/hfs |
| Ladon 911 | Multifunctional scanning and exploitation tool, often used to scan for SMB vulnerabilities (CVE-2017-0143, CVE-2017-0144). | github[.]com/k8gege/Ladon |
| Web Shell | Backdoor installed on a web server to execute commands and maintain persistent access. | github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx |
Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity
| File Name | MD5 File Hash |
| Cring.exe | c5d712f82d5d37bb284acd4468ab3533 |
| Ghost.exe | 34b3009590ec2d361f07cac320671410 |
| d9c019182d88290e5489cdf3b607f982 | |
| ElysiumO.exe | 29e44e8994197bdb0c2be6fc5dfc15c2 |
| c9e35b5c1dc8856da25965b385a26ec4 | |
| d1c5e7b8e937625891707f8b4b594314 | |
| Locker.exe | ef6a213f59f3fbee2894bd6734bbaed2 |
| iex.txt, pro.txt (IOX) | ac58a214ce7deb3a578c10b97f93d9c3 |
| x86.log (IOX) | c3b8f6d102393b4542e9f951c9435255 |
| 0a5c4ad3ec240fbfd00bdc1d36bd54eb | |
| sp.txt (IOX) | ff52fdf84448277b1bc121f592f753c5 |
| main.txt (IOX) | a2fd181f57548c215ac6891d000ec6b9 |
| isx.txt (IOX) | 625bd7275e1892eac50a22f8b4a6355d |
| sock.txt (IOX) | db38ef2e3d4d8cb785df48f458b35090 |
Table 3: Ransom Email Addresses
Table 4: Ransom TOX IDs
| TOX ID |
| EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA |
| E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B |
Related Articles
Dark Web Profile: Fog Ransomware
Feb 13, 2025
Dark Web Profile: Tortoiseshell APT
Feb 07, 2025
Dark Web Profile: RA World
Jan 31, 2025
Dark Web Profile: Termite Ransomware
Jan 30, 2025
Subscribe to our newsletter and stay updated on the latest insights!
