The FBI has issued a warning regarding a Chinese ransomware group known as Ghost. This group has targeted critical infrastructure, educational institutions, and businesses across more than 70 countries.
The FBI recommends implementing security updates and multifactor authentication to guard against ransomware attacks.
In a joint advisory with the Cybersecurity and Infrastructure Agency (CISA), the FBI highlighted that Ghost began its indiscriminate attacks on organizations globally starting in 2021. According to their warning, Ghost has now become one of the most prominent ransomware groups, with its attacks continuing as recently as January.
“Ghost actors, based in China, conduct these widespread attacks primarily for financial gain,” states the report. “The victims affected by these attacks include critical infrastructure, educational institutions, healthcare facilities, government networks, religious organizations, technology and manufacturing firms, as well as numerous small- and medium-sized enterprises.”
Ransomware is a form of malware that enables cybercriminals to encrypt a victim’s data until a ransom is paid. In recent years, ransomware attacks have grown increasingly common, often targeting larger corporations or government systems.
A ransomware incident in February 2024 involving Chain Healthcare, a financial arm of healthcare giant UnitedHealth Group, temporarily disrupted the pharmacy sector, resulting in significant delays in processing customer prescriptions.
Typically, ransomware attackers employ phishing techniques, sending fraudulent messages to entice victims into clicking a harmful link that installs malware. However, members of the Ghost group utilize publicly accessible code to exploit known vulnerabilities in software that organizations have not patched, according to the FBI.
The FBI’s alert indicated that Ghost attackers generally gain initial access to networks by exploiting publicly available applications associated with multiple Common Vulnerabilities and Exposures (CVEs). The warning further noted that Ghost actors often state they will sell the victim’s stolen data if the ransom is not paid. Nevertheless, the agency observed that they “do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information that would cause significant harm to victims if leaked.”
The FBI encourages organizations to consult its StopRansomware guide for detailed strategies to protect against ransomware attacks. Some recommended practices include maintaining regular system backups of sensitive data, applying security updates to patch known system vulnerabilities, and using phishing-resistant multifactor authentication for company email accounts.
In case of a ransomware attack, the FBI advises reporting it to the agency. The security advisory emphasizes that they are particularly interested in “any information that can be shared, including logs of communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet details, and/or decryptor files.”
