The FBI warns organizations to backup now.Getty ImagesUpdate, Feb. 21, 2025: This story, originally published Feb. 20, now includes expert commentary from a number of security professionals regarding the FBI Ghost ransomware warning.Phishing, social engineering, scams, or whatever label you like to attach to the click here campaigns so beloved of attackers the world over is not the only security threat you need to pay attention to. I mean, that should go without saying, but ignoring other attack methodologies is akin to burying your head in the sand while someone steals your bucket and spade afterward.The Federal Bureau of Investigation has just published a new security advisory warning of one such non-phishing attack being exploited in an ongoing and particularly dangerous ransomware campaign known as Ghost. Heres what you need to know and what the FBI warns you should do with the utmost urgency to stay protected.FBI Issues Critical Ghost Ransomware Security AdvisoryA joint security advisory published Feb. 19 by the FBI and the Cybersecurity and Infrastructure Security Agency, AA25-050A, has warned organizations around the world of a dangerous ransomware group known as Ghost, which is carrying out ongoing attacks targeting multiple industry sectors across more than 70 countries.The threat actors, working out of China according to the FBI, go by many different names although Ghost appears to be the most common: Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada and Rapture, for example. What doesnt vary, however, is the attack methodology. Rather than using phishing techniques, the chosen method for the vast majority of ransomware attacks these days, Ghost prefers to use publicly available code to exploit known security vulnerabilities in software and firmware that their operators have not patched. They do this to gain access to internet-facing servers and ultimately strike with the ransomware payload.The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple Common Vulnerabilities and Exposures, the advisory said. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances, servers running Adobe ColdFusion, Microsoft SharePoint and Microsoft Exchange, commonly referred to as the ProxyShell attack chain.Security Professionals Respond To The FBI Ghost WarningGhost is a dangerous nation-state threat actor which organizations must make efforts to protect against, Juliette Hudson, chief technology officer at CybaVerse, said; The group is actively exploiting known CVEs in ubiquitous tech, highlighting the need for organizations to prioritize patching and remediation efforts. And there lies the rub. "The Ghost ransomware campaign highlights the persistent reality that adversaries exploit known vulnerabilities faster than many organizations can patch them, Darren Guccione, CEO of Keeper Security, warned. Which can only reinforce a critical need for proactive risk management, with security leaders having to ensure that software, firmware and identity systems are continuously updated and hardened against exploitation. Beyond patching, identity security is a persistent weak point in defending against ransomware attacks, Guccione said; Enterprises should implement a privileged access management solution to enforce multi-factor authentication, a zero-trust framework and least-privilege access controls to prevent lateral movement.Joe Silva, CEO at Spektion, agreed that the Ghost ransomware attacks would appear to highlight the fact that threat actors are capitalizing on what you might call patch fatigue by exploiting the gaps left by overwhelmed security teams. This proves legacy vulnerability management practices cant keep up with the exploding number of vulnerabilities that attackers are taking advantage of, Silva warned; Instead, organizations need real-time, contextual insights into how their software behaves within their specific environments by using tools that have a strong signal to noise ratio based on actual risks rather than potential risks that overwhelm security teams.Ghosts credential theft is a stark reminder that hackers are always a step ahead, says Rom Carmel, CEO at Apono. By compromising legitimate accounts, they can infiltrate deeper into environments and target an organization's most sensitive resources, Carmel warned; To reduce the blast radius of account compromises, organizations must not only authenticate access but also enforce precise, rightsized privileges and limit the availability of access to high-value resources.Finally, Tim Mackey, head of software supply chain risk strategy at Black Duck, told me that such attacks on legacy cyber-physical and Internet of Things devices are to be expected and, as such, must be planned for as part of the operational requirements for the device. Attackers know that best practices evolve, Mackey said, and even the most secure device from a decade ago is likely quite vulnerable to a modern-day attack, let alone those that may be mounted in the future. Given that the usable life span of any cyber-physical device is measured in years, and potentially decades, organizations acquiring any such device should work closely with their suppliers to ensure a long-term operations and risk mitigation plan is created that covers not only availability of patches but active sharing of threat scenario data, Mackey concluded.Four Steps To Take Today, According To The FBIThe FBI has advised that all organizations take the following actions, and take them today, to mitigate the risks attached to this most dangerous of ransomware attack campaigns.Maintain regular system backups stored separately from the source systems which cannot be altered or encrypted by potentially compromised network devices.Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe.Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization.Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.Ghost is a dangerous nation-state threat actor which organisations must take efforts to protect against, Juliette Hudson, chief technology officer at CybaVerse, said. The group is actively exploiting known CVEs in ubiquitous tech, highlighting the need for organisations to prioritise patching and remediation efforts.This advisory from the FBI and CISA highlights that the Ghost ransomware operation is utilising vulnerability exploits to gain access to organisations, which is divergence from the typical ransomware attacks that are executed via social engineering, Simon Phillips, chief technology officer at SecureAck, said. Given that the products Ghost targets are designed for businesses and the CVEs being exploited are so outdated, this highlights an urgent need to reinforce fundamental security practices.