Ghost Ransomware Dissection

---

Ghost Ransomware, also known by various aliases such as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture, is a sophisticated ransomware threat that has targeted organizations globally. This detailed analysis covers its emergence, tactics, attack methodology, and mitigation measures.

Emergence and Targets

Origin and Target Sectors

• Country of Origin: Ghost ransomware actors are believed to be based in China.
• Targeted Sectors: The group targets a wide range of sectors, including:
• Critical Infrastructure
• Healthcare
• Education
• Government Networks
• Religious Institutions
• Technology and Manufacturing Companies
• Small- and Medium-Sized Businesses
• Global Reach: Ghost ransomware has compromised organizations in over 70 countries, demonstrating its extensive operational capabilities.

Initial Access and Exploitation

Exploited Vulnerabilities

Ghost ransomware actors exploit known vulnerabilities in public-facing applications to gain initial access. Key vulnerabilities targeted include:

• CVE-2018-13379: A vulnerability in Fortinet FortiOS appliances that allows attackers to download system files via the SSL VPN web portal.
• CVE-2010-2861 and CVE-2009-3960: Vulnerabilities in Adobe ColdFusion servers that can be exploited to execute arbitrary code.
• CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207: Part of the ProxyShell attack chain, these Microsoft Exchange vulnerabilities allow attackers to execute arbitrary commands on the server.

Initial Compromise Techniques

• Phishing Emails: Attackers use phishing emails with malicious attachments to gain initial access. Once the attachment is opened, the malware establishes persistence by creating scheduled tasks.
• Exploitation Methods: Attackers use uploaded web shells to execute malicious payloads via PowerShell or Command Prompt.

Attack Methodology

Lateral Movement and Data Encryption

• Disabling Security Measures: Ghost actors use PowerShell scripts to disable critical security measures such as Windows Defender’s real-time monitoring, intrusion prevention, and script scanning. This allows the malware to operate undetected.
• Lateral Movement: The actors use Windows Management Instrumentation Command-Line (WMIC) and encoded PowerShell scripts to move laterally within the network, gaining access to additional systems.
• File Encryption: The ransomware executables, such as ElysiumO.exe or Locker.exe, encrypt files while excluding system-critical directories to avoid rendering devices inoperable.
• Deletion of Forensic Data: The group deletes Volume Shadow Copies and Windows Event Logs to hinder forensic recovery efforts. This makes it difficult for organizations to recover encrypted data and investigate the attack.

Command and Control (C2) Infrastructure

C2 Communication and Data Exfiltration

• C2 Communication: Ghost actors rely heavily on Cobalt Strike Beacon, a penetration testing tool repurposed for malicious C2 operations. C2 communications occur over HTTP/HTTPS, often using direct IP addresses instead of domains to evade detection.
• Data Exfiltration: Although Ghost typically threatens data leakage, the group performs limited data transfers to platforms like Mega.nz or Cobalt Strike Team Servers. This suggests a strategic approach to exfiltrating and leveraging stolen data.

Mitigation and Defense

Recommendations for Protection

1. Regular Backups: Maintain regular system backups stored separately from the source systems. Ensure backups are encrypted and periodically tested for integrity.
2. Patch Management: Apply timely security updates to operating systems, software, and firmware to patch known vulnerabilities. Automate patch management where possible to ensure consistency.
3. Network Segmentation: Implement network segmentation to restrict lateral movement from initial infected devices. Use VLANs and firewalls to isolate critical systems and data.
4. Phishing-Resistant MFA: Require phishing-resistant multi-factor authentication (MFA) for access to all privileged accounts and email services accounts. Use hardware tokens or mobile app-based MFA solutions for enhanced security.
5. Employee Training: Conduct regular cybersecurity awareness training for employees. Emphasize the importance of recognizing phishing emails and reporting suspicious activities.
6. Endpoint Protection: Deploy advanced endpoint protection solutions with capabilities such as behavioral analysis, machine learning, and threat intelligence integration.
7. Intrusion Detection and Response: Use intrusion detection and response tools to monitor for suspicious activities and respond to potential threats in real-time.
8. Incident Response Planning: Develop and maintain an incident response plan tailored to ransomware attacks. Regularly review and update the plan to address new threats and ensure readiness.
9. Data Encryption: Encrypt sensitive data at rest and in transit. Use strong encryption algorithms and key management practices to protect data from unauthorized access.
10. Security Audits: Conduct regular security audits and vulnerability assessments to identify and mitigate potential weaknesses in your IT infrastructure.

Final Thoughts

The Ghost Ransomware campaign underscores the critical importance of robust cybersecurity measures and proactive defense strategies. By staying informed about the tactics, techniques, and procedures used by such ransomware groups, organizations can better protect themselves against these sophisticated threats.

For more information, refer to CISA Alert