The FBI warns organizations to backup now.Getty ImagesUpdate, Feb. 22, 2025: This story, originally published Feb. 20, now includes further technical details of the Ghost ransomware operation along with expert commentary from a number of security professionals regarding the FBI security advisory.Phishing, social engineering, scams, or whatever label you like to attach to the click here campaigns so beloved of attackers the world over is not the only security threat you need to pay attention to. I mean, that should go without saying, but ignoring other attack methodologies is akin to burying your head in the sand while someone steals your bucket and spade afterward.The Federal Bureau of Investigation has just published a new security advisory warning of one such non-phishing attack being exploited in an ongoing and particularly dangerous ransomware campaign known as Ghost. Heres what you need to know and what the FBI warns you should do with the utmost urgency to stay protected.FBI Issues Critical Ghost Ransomware Security AdvisoryA joint security advisory published Feb. 19 by the FBI and the Cybersecurity and Infrastructure Security Agency, AA25-050A, has warned organizations around the world of a dangerous ransomware group known as Ghost, which is carrying out ongoing attacks targeting multiple industry sectors across more than 70 countries.The threat actors, working out of China according to the FBI, go by many different names although Ghost appears to be the most common: Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada and Rapture, for example. What doesnt vary, however, is the attack methodology. Rather than using phishing techniques, the chosen method for the vast majority of ransomware attacks these days, Ghost prefers to use publicly available code to exploit known security vulnerabilities in software and firmware that their operators have not patched. They do this to gain access to internet-facing servers and ultimately strike with the ransomware payload.The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple Common Vulnerabilities and Exposures, the advisory said. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances, servers running Adobe ColdFusion, Microsoft SharePoint and Microsoft Exchange, commonly referred to as the ProxyShell attack chain.The FBI made particular note of a number of CVEs that are known to have been exploited by the Ghost ransomware campaigns including:CVE-2009-3960CVE-2010-2861CVE-2018-13379CVE-2019-0604CVE-2021-31207CVE-2021-34473CVE-2021-34523The first set of digits referred to in those CVE numbers is the year that the vulnerability was reported, and in most cases, this is also the year that it would have been patched by the vendor concerned. These stretch back to as long ago as 2009, which is truly shocking when you consider that some systems have, therefore, apparently remained unpatched for at least 15 years.The FBI advisory also explained how the threat actors behind Ghost have been seen to upload a web shell to compromised servers in order to leverage a combination of Windows command prompts and PowerShell to download and execute a Cobalt Strike Beacon on target systems. This in itself is not unusual, although the irony in cybercriminals using a commercially available and well-regarded penetration tool, used as part of adversary simulations to audit the voracity of an organizations security controls, cannot be ignored.Ghost actors often rely on built-in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, the FBI said, often for the purpose of running Beacon a second time with elevated privileges. The hashdump Cobalt Strike function is then used to collect credentials, including passwords and password hashes, while yet another is employed to display a list of running processes, to determine which antivirus software is running so that it can be disabled. Windows Defender, for example, is frequently disabled on network-connected devices, according to the FBI.Rather interestingly, given that double-extortion ransomware is the order of the day, the FBI noted that while Ghost claims exfiltrated data will be sold unless the ransom is paid, there is little evidence to suggest that a significant amount of such data is stolen from compromised organizations. This is particularly true when it comes to intellectual property or personally identifiable information that would cause significant harm to victims if leaked, the FBI said.Security Professionals Respond To The FBI Ghost WarningGhost is a dangerous nation-state threat actor which organizations must make efforts to protect against, Juliette Hudson, chief technology officer at CybaVerse, said; The group is actively exploiting known CVEs in ubiquitous tech, highlighting the need for organizations to prioritize patching and remediation efforts. And there lies the rub. "The Ghost ransomware campaign highlights the persistent reality that adversaries exploit known vulnerabilities faster than many organizations can patch them, Darren Guccione, CEO of Keeper Security, warned. Which can only reinforce a critical need for proactive risk management, with security leaders having to ensure that software, firmware and identity systems are continuously updated and hardened against exploitation. Beyond patching, identity security is a persistent weak point in defending against ransomware attacks, Guccione said; Enterprises should implement a privileged access management solution to enforce multi-factor authentication, a zero-trust framework and least-privilege access controls to prevent lateral movement.Joe Silva, CEO at Spektion, agreed that the Ghost ransomware attacks would appear to highlight the fact that threat actors are capitalizing on what you might call patch fatigue by exploiting the gaps left by overwhelmed security teams. This proves legacy vulnerability management practices cant keep up with the exploding number of vulnerabilities that attackers are taking advantage of, Silva warned; Instead, organizations need real-time, contextual insights into how their software behaves within their specific environments by using tools that have a strong signal to noise ratio based on actual risks rather than potential risks that overwhelm security teams.Ghosts credential theft is a stark reminder that hackers are always a step ahead, says Rom Carmel, CEO at Apono. By compromising legitimate accounts, they can infiltrate deeper into environments and target an organization's most sensitive resources, Carmel warned; To reduce the blast radius of account compromises, organizations must not only authenticate access but also enforce precise, rightsized privileges and limit the availability of access to high-value resources.Describing the attacks by the Ghost ransomware group as a commercial global onslaught, Agnidipta Sarkar, vice president CISO advisory at ColorTokens, said that, as a cyber-defense specialist, my first point is to understand how they find their victims. Given that we know that Ghost is looking for unpatched vulnerabilities in the likes of VPNs, firewalls, and other network appliances, all they need is one successful attempt to gain an initial access to victim networks, Sarkar said. The key to the success of these campaigns, according to Sarkar, would lie with the fact that. Most critical infrastructure cyber security leadership, especially in operational technology, those hardware and software systems that monitor and control physical processes, do not bother much about lateral movement.Finally, Tim Mackey, head of software supply chain risk strategy at Black Duck, told me that such attacks on legacy cyber-physical and Internet of Things devices are to be expected and, as such, must be planned for as part of the operational requirements for the device. Attackers know that best practices evolve, Mackey said, and even the most secure device from a decade ago is likely quite vulnerable to a modern-day attack, let alone those that may be mounted in the future. Given that the usable life span of any cyber-physical device is measured in years, and potentially decades, organizations acquiring any such device should work closely with their suppliers to ensure a long-term operations and risk mitigation plan is created that covers not only availability of patches but active sharing of threat scenario data, Mackey concluded.Four Steps To Take Today, According To The FBIThe FBI has advised that all organizations take the following actions, and take them today, to mitigate the risks attached to this most dangerous of ransomware attack campaigns.Maintain regular system backups stored separately from the source systems which cannot be altered or encrypted by potentially compromised network devices.Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe.Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization.Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.It goes without saying that phishing awareness training for users, applying the principle of least privilege when granting permissions and the disabling of unused ports are all also highly recommended. And finally, the FBI said that organizations should implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access.Ghost is a dangerous nation-state threat actor which organisations must take efforts to protect against, Juliette Hudson, chief technology officer at CybaVerse, said. The group is actively exploiting known CVEs in ubiquitous tech, highlighting the need for organisations to prioritise patching and remediation efforts.This advisory from the FBI and CISA highlights that the Ghost ransomware operation is utilising vulnerability exploits to gain access to organisations, which is divergence from the typical ransomware attacks that are executed via social engineering, Simon Phillips, chief technology officer at SecureAck, said. Given that the products Ghost targets are designed for businesses and the CVEs being exploited are so outdated, this highlights an urgent need to reinforce fundamental security practices.The FBI does not encourage paying a ransom, the security advisory said, arguing that such a payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, the FBI concluded, and encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.