FBI and CISA warn about continuing attacks by Chinese ransomware group Ghost

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory about the activities of a ransomware group from China dubbed Ghost, which has compromised organizations in over 70 countries over the past four years.

The Ghost group began its activities in early 2021, but attacks have been observed as recently as last month. It seems the attackers regularly change their ransomware payloads, ransom text, the extension for encrypted files, or the email addresses used for ransomes. This has led to the group being referred to under different names over the years, including Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarad, and Rapture.

The group primarily gains access to networks by exploiting known vulnerabilities in web applications, servers, and hardware appliances that are exposed to the internet and haven’t been patched. Victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and many small- and medium-sized businesses, the agencies said.

Some of the vulnerabilities targeted by Ghost include a path traversal vulnerability in Fortinet FortiOS SSL VPN portal (CVE-2018-13379), directory traversal and XML injection flaws in servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), a remote code execution flaw in Microsoft SharePoint (CVE-2019-0604), and the ProxyShell remote code execution attack chain in Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).

Ghost employs web shells and Cobalt Strike

After a successful exploit, the attackers install web shells — backdoor scripts — on the compromised servers and use them to execute Windows command prompt and PowerShell scripts that deploy additional payloads.

The group’s preferred tool is the Cobalt Strike Beacon, an implant from a commercial penetration testing toolkit of the same name that has been abused by many cybercriminals in recent years. Cobalt Strike uses a client-server architecture, where the beacon, or client, communicates with a Team Server operated by the attackers.

Cobalt Strike is a powerful trojan with many features, including the ability to steal process tokens running with SYSTEM privileges and then use those tokens to escalate its own privileges, the ability to dump Windows password hashes, as well as discover domain accounts and to exfiltrate data back to team servers.

In addition to Cobalt Strike the attackers use a variety of other open-source tools to perform network discovery and lateral movement. These include an open-source proxy called IOX for hiding their ransom negotiation servers; SharpShares.exe, a tool for discovering network shares; SharpZeroLogon.exe, a tool that exploits the Zero Logon (CVE-2020-1472) against a Windows Domain Controller; SharpGPPPass.exe, a tool that exploits CVE-2014-1812; a NetBIOS scanner called NBT.exe; a privilege escalation tool called BadPotato.exe; a tool called Ladon 911 that scans for and exploits Windows SMB vulnerabilities; the Mimikatz credential dumping tool, and more.

“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” CISA said in its advisory. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.”

Attacks are more focused on encryption than exfiltration

The Ghost attackers have sometimes exfiltrated data back to their Cobalt Strike Team servers or to the Mega.nz file-sharing service, but this has been rare and the amount of information stolen has been limited.

According to FBI investigations, the group doesn’t regularly exfiltrate intellectual property or personally identifiable information (PII) that would cause significant harm to victims like other ransomware groups do. This lack of focus on data theft as a double extortion tactic explains why the group doesn’t bother setting up malware persistence mechanisms for a long-term presence on victim networks.

When it comes to encrypting data, the group has used multiple ransomware executables over time, including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. These have similar functionality and their features are controlled with command line arguments when executed.

In addition to encrypting files, the Ghost ransomware will clear the Windows Event Logs, delete volume shadow copies that could allow restoring files, and disable the Volume Shadow Copy Service. The attackers will also scan for and disable antivirus products running on the system.

The encryption algorithms used are strong, and the encrypted data cannot be recovered without the decryption key held by the attackers. However, the impact will differ from victim to victim because the Ghost attackers will not spend too much time trying to compromise a large number of devices on networks where it’s too difficult to do so. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral movement to other devices,” CISA said.

The joint FBI, CISA, and MS-ISAC advisory contains indicators of compromise, including domain names, file hashes, email addresses, and MITRE ATT&CK TTPs, as well as security recommendations for organizations to protect themselves against Ghost attacks and ransomware in general.