- The FBI and the CISA warned against operators of ghost ransomware
- Threat actors strike critical infrastructure, government and other organizations
- They will violate networks via non -corrected and vulnerable termination points
Cybercrimin groups using the variant of ghost ransomware have so far violated organizations in more than 70 countries around the world, experts said.
A new joint security advice, recently published by the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Center for Multi-States Information Sharing and Analysis (MS-ISAC) noted that the Groups mainly aim for critical infrastructure organizations, but are also interested in health care, government, technology, manufacturing and other verticals. Victimous organizations can be both large companies and small or medium or major companies (SMB).
“From the beginning of 2021, ghost actors began to attack the victims whose services oriented on the Internet managed obsolete versions of software and micrologists,” said the three agencies in the report. “This blind targeting of networks containing vulnerabilities has led to compromise of organizations in more than 70 countries, including organizations in China.”
Different names
Since the groups use different names, different file extensions, different ransom notes, and more, the allocation was relatively difficult, has been explained. Apparently, they have used several names, including Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, Hsharada and Rapture. For the encryptors, the researchers observed Cring.exe, Ghost.exe, Elysiumo.exe and Locker.exe.
To compromise their victims, the groups have opted for non -corrected termination criteria. Most of the time, they aimed at Fortinet (CVE-2018-13379), Coldfusion (CVE-2010-2861, CVE-2009-3960) and Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021 -31207 ) defects.
The best way to defend yourself against ghost ransomware operators is to keep your software and your hardware up to date. All the vulnerabilities listed in the report have already been corrected by their respective suppliers, so mitigating the risk is as simple as the application of a fix.
In addition to the aforementioned defects, the pirates sponsored by the state also aimed at the CVE-2018-13379 to, among other things, an offense to the American support systems linked to the Internet. This bug was corrected years ago, with Fortinet warning of its abuses many times throughout 2019, 2020 and 2021.
Via Bleeping Compompute
