Why trust Greenbot
China-backed hackers have struck organizations in more than 70 countries. The attackers deploy ransomware within hours of gaining access.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint warning on February 19, 2025, about the “smash-and-grab” ransomware operation.
Ghost ransomware strikes without phishing. The group exploits unpatched systems directly, encrypting victims’ data within hours of initial access.
“In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day,” the advisory states. Traditional ransomware groups typically spend weeks or months inside networks before striking.
The Ghost actors hunt for specific vulnerabilities in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Exchange servers. Once inside, they deploy Cobalt Strike for command-and-control operations before launching their encryption tools. Roger Grimes from KnowBe4 identified unpatched software and firmware to be involved in at least a third of successful compromises.
Victims span multiple sectors: critical infrastructure, healthcare, government networks, education, technology, manufacturing, and religious institutions. The group demands cryptocurrency payments ranging from tens to hundreds of thousands of dollars.
A distinctive trait: Ghost rarely steals significant data despite threatening to leak files. The FBI observed only “limited downloading of data to Cobalt Strike Team Servers.” This suggests they rely on empty threats rather than actual data theft to pressure victims.
Ghost actors have been active since early 2021. The group’s ability to quickly change tactics has led to its attacks being attributed to various names, including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. They abandon attacks when facing robust security measures, seeking easier targets instead.
“Given that the products Ghost targets are designed for businesses and the CVEs being exploited are so outdated, this highlights an urgent need to reinforce fundamental security practices,” says Simon Phillips, chief technology officer at SecureAck.
Organizations have minimal time to detect and respond to Ghost’s incursions. The short attack window demands heightened vigilance against outdated software vulnerabilities and faster incident response capabilities.
Federal authorities recommend offline backups, prompt patching, network segmentation, and strong authentication for all critical accounts. The advisory, released as part of CISA’s #StopRansomware campaign, contains detailed indicators of compromise and technical analysis from FBI investigations through January 2025.
