Ghost ransomware hackers strike in 70 countries.
There are two types of scumbag in the cybercrime world: those who pick on vulnerable individuals to perpetrate their fraud, and those who target healthcare in search of illicit financial gains. The latter are, thankfully, much rarer than the former. However, hospitals have been on the ransomware and hacking radar before now, and I have had the disheartening task of reporting on them. The New York Blood Center attack, a million patient records exfiltrated by hackers, and even an FBI warning regarding patient hardware backdoors. Now, a new threat intelligence report has revealed how financially motivated Chinese cybercriminals are targeting government offices, the energy sector, factories, financial services, and, yes, hospitals across the globe. However, North America and the U.K. have been most attacked by the Ghost ransomware hackers.
Ghost Hackers Strike In 70 Countries
According to a new report from Rebecca Harpur at Blackfog, the Ghost threat campaigns are operated by a financially motivated group from China and don’t have any known state affiliations. These attacks are, Hurpur said, “driven by profit rather than espionage.” It’s also known that Ghost has gone by many other names over the years, before ending up at this one: Cring, Crypt3r and Hello, as well as a closely related Phantom moniker. “By constantly rebranding,” Harpur explained, “Ghost makes it more difficult for authorities to pin down its activities as one group.”
This hasn’t, however, stopped the Cybersecurity and Infrastructure Security Agency and the FBI from issuing a joint advisory warning of the dangers that Ghost presents to “organizations across more than 70 countries.” Those compromises all follow a familiar playbook, the Blackfog threat intelligence report warned: “a ransom note threatens permanent data loss (or public release of stolen files) unless payment is made.”
When it comes to the Ghost attacks themselves, the bullet-point methodology explained by Blackfog is as follows:
Initial access is by way of public-facing systems through unpatched vulnerability exploitation. These include virtual private network appliances as well as web and email servers.
Ghost then installs a backdoor, by way of web shells and tools such as Cobalt Strike to maintain stealthy access. The attackers often create new user accounts and disable security software having escalated system privileges.
With this admin-level access, the attackers spread to other systems on the network and “quietly exfiltrates sensitive data to its own servers.”
Finally, Ghost deploys its ransomware payload (often named Ghost.exe or Cring.exe) across the network. “Files on infected machines are scrambled and made unusable,” Blackfog warned, “backups are wiped out, and a ransom note appears on each system.”
Mitigating The Ghost Ransomware Attacks
You can refer to the previously mentioned FBI advisory for detailed Ghost mitigation recommendations, but in the meantime, here’s the quick Ghost cybersecurity blueprint as provided by Blackfog.
- Regularly back up your data and store copies offline and isolated from your network.
- Keep your operating systems, applications, and firmware updated.
- Protect all accounts with multi-factor authentication.
- Employ network segregation tactics to prevent privilege escalation and lateral movement by the Ghost ransomware attackers.
