The FBI, CISA, and MS-ISAC have issued a joint advisory warning about the Ghost ransomware group, which has been active since 2021.
What happened
The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory on February 19, 2025, warning about the Ghost ransomware group. Originating from China, Ghost has been conducting widespread attacks since 2021, targeting organizations across over 70 countries, including critical infrastructure, healthcare, education, government, and businesses. Unlike typical ransomware attacks that use phishing methods, Ghost exploits known vulnerabilities in organizations' software that lack updated patches. While they threaten to sell stolen data if ransoms are not paid, they rarely exfiltrate significant data like intellectual property or personal information. The FBI urges organizations to use their StopRansomware guide, maintain updated backups, patch vulnerabilities, and implement phishing-resistant multi-factor authentication.
Going deeper
Ghost actors frequently exploit publicly known vulnerabilities to gain access, including CVE-2018-13379 (Fortinet VPN vulnerability), CVE-2010-2861 (Adobe ColdFusion security flaw), CVE-2009-3960 (PHP application vulnerabilities), and Microsoft Exchange ProxyShell vulnerabilities. To mitigate risks, enterprises should apply security patches, update systems, implement robust access controls, and conduct regular security training.
What was said
"The FBI has observed Ghost actors obtaining initial access to networks by exploiting public-facing applications that are associated with multiple Common Vulnerabilities and Exposures," the warning says.
In the know
Ghost ransomware is a threat due to its indiscriminate targeting of organizations across various sectors and its exploitation of known vulnerabilities in outdated systems. Implementing robust cybersecurity measures is essential to defend against such attacks.
Why it matters
The warning from the FBI, CISA, and MS-ISAC about Ghost ransomware directly impacts organizations that are vulnerable to these types of cyberattacks, particularly those with outdated systems or unsecured networks. By exploiting known vulnerabilities, Ghost actors pose a threat to sectors, including healthcare, government, and businesses, underlining the urgency for immediate action to implement patching policies and bolster cybersecurity defenses. The advisory is a reminder for entities to follow the recommended best practices, such as regular patching and phishing-resistant multi-factor authentication, to protect themselves from financial and operational damage.
FAQs
What is the Ghost ransomware group?
The Ghost ransomware group is a cybercriminal group originating from China that has been conducting widespread attacks since 2021.
What is the primary method Ghost actors use to access systems?
Ghost actors primarily exploit public-facing applications with unpatched vulnerabilities to gain initial access to networks.
What sectors are targeted by Ghost ransomware?
Ghost ransomware targets sectors including healthcare, government, education, critical infrastructure, and businesses.
