Chinese Cybercriminals: How the Ghost Ransomware Group Operates

How the gang is attacking companies and infrastructure around the world

The Chinese ransomware gang Ghost is currently wreaking havoc around the world. Using sophisticated tactics, techniques, and procedures (TTPs), the group is targeting government agencies and organizations that provide critical national infrastructure. Its primary targets include companies in the education, healthcare, technology, and manufacturing sectors. The gang has already been active in more than 70 countries, exploiting known security vulnerabilities.

Ghost: A Global Cybercrime Network

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have recently issued a joint cybersecurity advisory. The advisory describes the techniques used by the ransomware gang and outlines protective measures.

Cybercriminals primarily target vulnerabilities in internet-connected devices. These are often exploits for which patches have been available for more than ten years. This highlights the importance of consistent patch management in reducing the attack surface.

Key objectives of Ghost:

1. Technology and manufacturing companies
2. Government agencies
3. Critical national infrastructure
4. Education and healthcare sectors

Ghosts' Approach: Tactics and Techniques

The Ghost ransomware gang uses 11 different tactics that have been documented in connection with its cyberattacks:

1. First access (TA0001):

• Exploitation of known vulnerabilities (e.g., Fortinet devices, Microsoft SharePoint servers)
• Installation of web shells and download of Cobalt Strike beacons

2. Version (TA0002):

• Use of Web Shells to Execute Commands
• Download and Run Cobalt Strike Beacon

3. Persistence (TA0003):

• Creating new user accounts
• Changing passwords for existing accounts

4. Right-hand extension (TA0004):

• Use of tools such as BadPotato and SharpZeroLogon for privilege escalation

5. Bypassing security measures (TA0005):

• Disabling endpoint security solutions

6. Read login credentials (TA0006):

• Use of Mimikatz to capture passwords and hashes

7. Exploration (TA0007):

• Scanning the network for login credentials and sensitive data

8. Lateral movement (TA0008):

• Using PowerShell commands to install additional Cobalt Strike beacons

9. Exfiltration (TA0010):

• Use of Cobalt Strike Team Server or Mega.nz for data exfiltration

10. Command and Control (TA0011):

• Use of HTTP/HTTPS for communication with controlled servers

11. Impact (TA0040):

• Encryption of data by ransomware (e.g., CRING.EXE, GHOST.EXE)

How to Protect Your Business from Ghost

Ghost uses a variety of techniques to gain access to networks and encrypt data. To protect yourself against these attacks, the following measures are essential:

1. Regular backups:
   • Automatic and secure backup of important data to ensure quick recovery.
2. Anomaly detection:
   • Unusual user behavior may indicate a security breach.
3. Quick patching:
   • Updating operating systems and software to address known vulnerabilities.
4. Restrict access rights:
   • Implementation of Phishing-Resistant Multi-Factor Authentication (MFA)
5. Network segmentation:
   • Limiting the mobility of attackers within the network.

Conclusion: Stop ransomware gangs like Ghost before it’s too late

The Chinese ransomware gang Ghost exploits vulnerabilities that have been known for years. Companies should therefore not only rely on modern security solutions but also implement basic measures such as regular patching and network segmentation. A comprehensive security strategy can significantly minimize risks and detect attacks early on.