FBI's Ghost Cyber Warning: All You Need to Know

The FBI and CISA issue a joint advisory warning about the dangers of China’s Ghost ransomware group to businesses and infrastructure

A joint security advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warns that organisations, critical infrastructure, educational and government agencies and more are at risk from a new ransomware group called Ghost. 

The report says Ghost is one of the world’s most dangerous groups and has been indiscriminately targeting networks containing vulnerabilities in more than 70 countries worldwide since early 2021. Attacks have been observed as recently as January 2025. 

Businesses and critical infrastructure targeted

The Group, which the FBI says is based in China, attacks victims whose internet facing services run outdated versions of software and firmware, doing so for financial gain. 

The joint advisory warns that: “Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies and numerous small- and medium-sized businesses.”

The group regularly changes its ransomware payloads, ransom text, extension for encrypted files and the email addresses it uses for ransoms – this has led to various names being attributed to its activities, including Ghost, Cring, Crypt3r, Phantom, Strike, Hello and Rapture. 

Public facing vulnerabilities exploited

Ghost typically gains initial access to an organisation’s network by exploiting public facing applications associated with multiple common vulnerabilities and exposures (CVEs). 

This includes leveraging vulnerabilities in commonly used applications including Fortinet FortiOS appliances, servers running Adobe ColdFusion, Microsoft SharePoint and Microsoft Exchange. After a successful exploit the group deploys web shells, or malicious scripts, onto compromised servers and uses them to execute commands.

Its preferred tool is the Cobalt Strike Beacon, a common implant from commercial penetration testing often used by cybercriminals. 

Cobalt Strike enables malicious activities such as the ability to steal process tokens, to dump Windows password hashes to aid them with unauthorised logins and privilege escalation, and exfiltrate data. The FBI says Ghost also frequently runs a command to disable Windows Defender on network connected devices. 

“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” it notes. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.”

How to defend against Ghost

According to the FBI, the group uses legitimate email services to communicate with victims, and its ransom notes often claim exfiltrated data will be sold if a ransom is not paid. 

However, it says that Ghost actors do not frequently exfiltrate a significant amount of data or files, such as intellectual property or personally identifiable information, that would cause significant harm to victims if it were leaked. Typically, data exfiltration is measured at less than hundreds of gigabytes of data. 

“Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key,” says the FBI. “Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software.”

Affected organisations include businesses, critical infrastructure, schools and universities, healthcare, government networks, technology and manufacturing companies and religious institutions. According to the advisory, the impact of Ghost ransomware varies on a victim-to-victim basis. 

Further, it notes that the group tends to move to other targets if confronted with secure or hardened systems, such as those where proper network segmentation prevents lateral movement to other devices. 

Nonetheless, the FBI and CISA set out several preventative steps and mitigations that organisations should take to improve cybersecurity posture. 

These include maintaining regular system backups to avoid contact or paying ransoms, patching known vulnerabilities and updating systems as a priority, correctly segmenting networks to restrict movement between devices, enhancing email security, and investigating any abnormal network activity. 

The FBI states: “Organisations that can successfully identify and investigate this activity are better able to interrupt malicious activity before ransomware is executed.”

Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today.

Cyber Magazine is a BizClik brand