The United States is sounding the alarm about the Ghost ransomware. In a press release, the FBI and the Cybersecurity and Infrastructure Security Agency indicate that they have detected a host of cyberattacks orchestrated by the virus since 2021. According to the authorities, more than 70 different countries have been targeted by cybercriminals in the space of a few years.
Several organizations located in China are among the victims. The group is targeting entities, such as “critical infrastructure, schools and universities, the healthcare sector, government networks, religious institutions, technology and manufacturing companies, and many small and medium-sized businesses”. The list of targeted sectors is particularly broad.
Ransomware that covers its tracks
For a time, Ghost attacks were difficult to identify. To evade detection, hackers often made small changes to their ransom notes, their modus operandi, and their various tools. Cybercriminals also use multiple email addresses for ransom-related communications, allowing them to hide behind different identities, such as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
Hackers are adept at using the double extortion strategy. Indeed, criminals “frequently claim that stolen data will be sold if the victim does not pay the ransom”. This approach increases the chances that the victim will pay the money. Furthermore, data backups are no longer sufficient to protect yourself against ransomware in the event of a double extortion. That’s why the strategy is widely adopted by extortion professionals, including the leader Lockbit.
Outdated software and known vulnerabilities
Emerged four years ago, Ghost focuses on “organizations using outdated versions of software and firmware on their online services”. Cybercriminals look for companies that have left security holes by neglecting to install patches and updates. update.
To slip their ransomware onto their targets' systems, hackers rely on "known vulnerabilities by leveraging publicly available code, taking advantage of the lack of security updates to infiltrate servers exposed to the Internet." Among the flaws exploited by Ghost are breaches in Fortinet VPNs, vulnerabilities in Adobe Coldfusion, and flaws in Microsoft Exchange code. As several studies show, VPNs remain one of the favorite entry points for extortion specialists.
In this context, the American authorities strongly recommend that companies correct all software flaws as soon as possible, starting with the vulnerabilities already exploited by Ghost. As Tenable points out in a response to 01Net, “cyber attackers have demonstrated to time and time again that they are tenacious and will exploit these unpatched vulnerabilities, regardless of the industry or size of the victim organization."
0 Comments