CISA and FBI warn of Ghost ransomware gang
The US authorities CISA and FBI are currently warning against the Chinese ransomware gang Ghost. It is said to be active in over 70 countries.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
The US authorities CISA, FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have jointly published an analysis of the activities of the Ghost ransomware gang. In it, they pool findings from investigations into cyber incidents.
In the security memo, the authorities write that Ghost's criminal activities began in early 2021. Since then, they have been attacking services accessible on the internet that rely on outdated versions of software or firmware. They have compromised facilities in more than 70 countries – including China. This is also where the authors believe the gang members are based. Their attacks were aimed at financial enrichment.
Ghost victims from various sectors
The affected victims came from various sectors: Critical infrastructure (KRITIS), schools and universities, healthcare, government networks, religious institutions, tech and manufacturing companies and numerous small and medium-sized enterprises. The Ghost gang members are extremely agile. They change the executable payload, change file suffixes for encrypted files, modify the ransom messages and use various ransom e-mail addresses. Over time, this has led to various different names for one and the same group, such as Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada and Rapture.
Videos by heise
At the same time, the Ghost perpetrators are also somewhat lazy. They apparently do not work on exploits for vulnerabilities themselves, but simply use publicly available exploit code for vulnerabilities that target very outdated software on servers on the Internet. The authors have observed attacks by Ghost on vulnerabilities in Fortinet FortiOS (CVE-2018-13379), servers with Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604) and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, the concatenation is also known as "ProxyShell"), some of which are more than 15 years old.
Once it has penetrated the vulnerable systems, Ghost places webshells and anchors Cobalt Strike beacons. However, the criminal gang does not attach great importance to persistence, spending only a few days in the victims' networks. However, they have sporadically created new local and domain accounts and changed the passwords of existing accounts. The attackers often misuse the Cobalt Strike tool to extend their rights. They have also used other open source tools for this purpose, with the US authorities citing "SharpZeroLogon", "SharpGPPPass", "BadPotato" and "GodPotato".
All-purpose weapon Cobalt Strike
The perpetrators also use Cobalt Strike to list the running processes and search for antivirus software in order to terminate them. Ghost members very often used commands to disable Microsoft Defender on devices connected to the network. With increased access rights, gang members also make their way further into the network; using WMIC (Windows Management Instrumentation Command-Line), they run Powershell commands on other systems in the victim's network, for example to install additional Cobalt Strike beacons.
Finally, the attackers claim that copied data will be sold if no ransom is paid. However, the Ghost gang members would not often exfiltrate data containing significant information or files with IP (Intellectual Property) or Personally Identifiable Information (PII). The FBI has only observed limited downloading of data to Cobalt Strike Team servers. There were few reports that the perpetrators used the Mega.nz hosting service. The typical amount of data was "less than hundreds of gigabytes".
Command and control (C2) is carried out by Ghost, in particular with Cobalt Strike Beacons and Cobalt Strike Team servers. The gang rarely bother to register domains for their C2 servers, instead connecting directly to IP URIs. They generally use mail service providers such as Tutanota, Skiff, ProtonMail, Onionmail and Mailfence. Ghost uses the files Cring.exe, Ghost.exe, ElysiumO.exe and Locker.exe to encrypt the data in the victim networks. They also delete the Windows event logs, shadow copies and deactivate the volume shadow copy service to make it more difficult to restore the data.
The US authorities also list Indicators of Compromise (IOCs) in their analysis. Interested parties can use this to check whether they may have fallen victim to the Ghost cybergang.
Topic page on cybercrime on heise online
(dmk)
