Ghost (Cring) Ransomware: Understanding The Threat & How Enterprises Can Defend Themselves

On February 19, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), issued a joint cybersecurity advisory on the growing threat of Ghost (Cring) ransomware. Active since early 2021, this ransomware group has targeted organizations in over 70 countries, exploiting unpatched software, weak credentials, and outdated security configurations to infiltrate enterprise networks.

Ghost (Cring) is a highly adaptable threat group that frequently rotates ransomware payloads,

alters ransom notes, and switches email addresses, making it challenging to track and attribute their attacks.

Who is at Risk?

Ghost (Cring) ransomware actors take an indiscriminate approach, targeting organizations across industries, including:

• Critical Infrastructure
• Financial Institutions
• Government Agencies
• Healthcare Organizations
• Educational Institutions
• Religious Institutions
• Manufacturing & Technology Companies
• Small and Medium-Sized Businesses

Many victims are targeted due to outdated security measures, weak credential protections, and a lack of network segmentation, allowing attackers to move laterally within networks once access is gained.

How Ghost (Cring) Ransomware Operates

Ghost actors exploit vulnerabilities in internet-facing services to establish initial access to victim environments. Once inside, they:

1. Leverage Publicly Available Exploits – Using known vulnerabilities, Ghost actors breach unpatched servers and devices.
2. Escalate Privileges – They steal administrator credentials, allowing deeper access into the enterprise network.
3. Deploy Ransomware Payloads – Malware variants such as Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe are executed to encrypt files.
4. Exfiltrate Data for Double Extortion – Sensitive corporate data is stolen before encryption, allowing attackers to threaten public exposure if ransom demands aren’t met.
5. Disable Security Tools – They attempt to disable endpoint protection, logging mechanisms, and backups to make recovery harder.
6. Leave Ransom Notes – Ghost actors demand payment, usually in cryptocurrency, and threaten data leaks or destruction if demands aren’t met.

Notable Exploited Vulnerabilities

Ghost actors frequently exploit publicly known vulnerabilities to gain access:

• CVE-2018-13379 – Fortinet VPN vulnerability allowing credential theft
• CVE-2010-2861 – Older Adobe ColdFusion security flaw
• CVE-2009-3960 – PHP application vulnerabilities
• CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 – Microsoft Exchange ProxyShell vulnerabilities

How Enterprises Can Defend Against Ghost (Cring) Ransomware

To mitigate risks and prevent Ghost (Cring) ransomware infections, enterprises can consider adopting a multi-layered cybersecurity approach:

1. Apply Security Patches & Update Systems

• Ensure critical vulnerabilities (e.g., ProxyShell, Fortinet VPN flaws) are patched.
• Regularly update operating systems, software, and firmware to close security gaps.
• Monitor vendor alerts for zero-day vulnerabilities and apply fixes promptly.

2. Implement Robust Access Controls

• Enable Multi-Factor Authentication (MFA) on all privileged accounts and remote access services.
• Enforce least privilege access to restrict excessive user permissions.
• Disable inactive accounts and review user access regularly.

3. Segment Network Traffic

• Separate critical assets from general IT infrastructure to prevent lateral movement.
• Use firewalls and VLANs to control traffic between sensitive areas.
• Restrict Remote Desktop Protocol (RDP) and other high-risk services to VPN-only access.

4. Strengthen Endpoint Security

• Deploy Endpoint Detection and Response (EDR) solutions to detect ransomware activity.
• Use application allowlisting to prevent unauthorized software execution.
• Restrict the use of PowerShell, macros, and scripting tools for non-administrators.

5. Enhance Email & Phishing Protection

• Enable anti-phishing tools such as DMARC, DKIM, and SPF to prevent email spoofing.
• Use automated email filtering to block malicious attachments and links.
• Conduct regular phishing awareness training to help employees recognize social engineering attacks.

6. Implement a Strong Backup & Recovery Plan

• Maintain regular, encrypted backups stored offline or in an immutable format.
• Test disaster recovery procedures to ensure data can be restored quickly.
• Use snapshot-based backups to enable rapid rollback in case of compromise.

7. Continuously Monitor for Threats

• Enable network and endpoint logging to detect suspicious activity early.
• Monitor for unauthorized account logins, unusual file encryption patterns, and privilege escalation attempts.
• Use Security Information and Event Management (SIEM) systems to analyze potential indicators of compromise (IOCs).

8. Limit Exposure of Internet-Facing Services

• Disable unused ports such as RDP (3389), FTP (21), SMB (445) unless strictly necessary.
• Require VPN access for administrative functions instead of exposing services directly online.
• Use Web Application Firewalls (WAFs) and Intrusion Prevention Systems (IPS) to detect exploitation attempts.

Conclusion

Organizations should consider adopting a proactive cybersecurity posture—including patching vulnerabilities, enforcing MFA, segmenting networks, strengthening email security, and maintaining robust backups—to defend against these threats. The advisory provides a list of IOCs Ghost actors have used for their operations, MD5 file hashes associated with Ghost ransomware activity, and a subset of email addresses included in Ghost ransom notes.