A Feb. 19 alert from the Cybersecurity and Infrastructure Security Agency and the FBI said threat actors known as “Ghost” are conducting ransomware attacks on multiple targets in more than 70 countries. Believed to be working out of China, Forbes reported the groupgoes by many names, including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada and Rapture.
The group doesn’t typically use phishing techniques, a common scammer method that involves impersonating a legitimate source to prompt someone to click on a phony link or provide personal information.
Instead, Ghost uses publicly available code to exploit security vulnerabilities in software and firmware that have not been correct. Forbessaid the group does this to gain access to Internet-facing servers and strike with ransomware payloads.
“Beginning early 2021, Ghost actors began attacking victims whose Internet facing services ran outdated versions of software and firmware, the FBI alert noted. “Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.”
Some of the ransomware files Ghost used during the attacks were Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
To prevent the attacks, the FBI advises:
- Maintain regular system backups. “Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to restore operations without needing to contact Ghost actors or pay a ransom,” the FBI alert noted.
- Patch known vulnerabilities. This includes applying timely security updates to operating systems, software and firmware.
- Train workers to recognize phishing attempts.
- Identity and alert others to abnormal network activity.
©2025 Advance Local Media LLC, Distributed by Tribune Content Agency, LLC.
