Overview
- The FBI and CISA issued a joint advisory warning of Ghost ransomware attacks affecting industries such as healthcare, education, government, and critical infrastructure across more than 70 countries.
- Ghost ransomware operators exploit unpatched vulnerabilities in widely used software, including Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange (ProxyShell).
- The group, active since 2021, frequently rotates malware payloads, ransom note formats, and email addresses, complicating attribution and detection.
- The advisory recommends urgent actions such as maintaining offline backups, patching known vulnerabilities, implementing network segmentation, and enforcing phishing-resistant multi-factor authentication (MFA).
- Ghost ransomware has been linked to Chinese threat actors and uses tools like Cobalt Strike to move laterally within networks and disable antivirus protections after initial compromise.