The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory about Ghost (also known as Cring).
The advisory, aimed at network defenders, offers information on Ghost ransomware activity, such as:
- Indicators of compromise (IOCs)
- Tactics, techniques, and procedures (TTPs)
- Detection methods
This information was gathered from Ghost ransomware activity observed in FBI investigations. According to the advisory, Ghost actors enact widespread attacks by targeting organizations with outdated software and firmware on internet facing devices. These threat actors often exploit Common Vulnerabilities and Exposures (CVEs) with publicly available code to gain access to these internet facing devices.
The advisory encourages network defenders to review the risks and take proper precautions to mitigate them.
Security leaders weigh in
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck:
Attacks on legacy cyber-physical, IoT, and IIoT devices — particularly in an OT environment — are to be expected and must be planned for as part of the operational requirements for the device. Attackers know that best practices evolve and even the most secure device from a decade ago is likely quite vulnerable to a modern-day attack let alone those that may be mounted in the future. Given that the usable life span of any cyber-physical device is measured in years, and potentially decades, organizations acquiring any such device should work closely with their suppliers to ensure a long-term operations and risk mitigation plan is created that covers not only availability of patches but active sharing of threat scenario data.
Darren Guccione, CEO and Co-Founder at Keeper Security:
The Ghost ransomware campaign highlights the persistent reality that adversaries exploit known vulnerabilities faster than many organizations can patch them. This reinforces the critical need for proactive risk management — security leaders must ensure that software, firmware and identity systems are continuously updated and hardened against exploitation.
Beyond patching, identity security is a persistent weak point in defending against ransomware attacks. Threat actors are using harvested credentials to escalate privileges and disable defenses. Enterprises should implement a privileged access management solution to enforce multi-factor authentication, a zero-trust framework and least-privilege access controls to prevent lateral movement. Strong password security is also critical — organizations should eliminate weak and reused credentials by enforcing robust password policies requiring unique, complex passwords that are at least 16 characters long and stored in an enterprise password manager. Regular audits of privileged accounts and eliminating unused credentials can significantly reduce risk of exposure.
This is a global-scale threat, affecting critical infrastructure, healthcare, government and SMBs alike. Security leaders must act decisively to reduce their attack surface, invest in zero-trust architectures and deploy robust endpoint and identity security controls to mitigate ransomware risks before they escalate into business-disrupting incidents.
Rom Carmel, Co-Founder and CEO at Apono:
Ghost’s credential theft is a stark reminder that hackers are always a step ahead. By compromising legitimate accounts, they can infiltrate deeper into environments and target an organization’s most sensitive resources. Verizon’s 2024 DBIR shows stolen credentials remain the top breach factor, responsible for 24% of incidents. To reduce the blast radius of account compromises, organizations must not only authenticate access but also enforce precise, rightsized privileges and limit the availability of access to high-value resources.
Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens:
As a cyber defense specialist, my first point to understand how they find their victims. Considering they are looking for critical infrastructure which have unpatched weaknesses in VPNs, firewalls, and other network appliances, all they need is one successful attempt to gain initial access to victim networks. Most critical infrastructure cyber security leadership, especially in OT, do not bother much about lateral movement, which is the key to success of this group. This certainly seems to be a global onslaught, purely commercial.