The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory about the activities of a ransomware group from China dubbed Ghost, which has compromised organizations in over 70 countries over the past four years.
The Ghost group began its activities in early 2021, but attacks have been observed as recently as last month. It seems the attackers regularly change their ransomware payloads, ransom text, the extension for encrypted files, or the email addresses used for ransomes. This has led to the group being referred to under different names over the years, including Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarad, and Rapture.
The group primarily gains access to networks by exploiting known vulnerabilities in web applications, servers, and hardware appliances that are exposed to the internet and haven’t been patched. Victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and many small- and medium-sized businesses, the agencies said.