By Ashwani Mishra, Editor-Technology, 63SATS
In a fresh warning that underscores the persistent threat of cybercrime, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have raised an alarm about a ransomware group known as Ghost—also referred to as Cring.
The advisory, issued in January 2025, warns that the group continues to actively exploit vulnerabilities in software and firmware, preying on outdated security systems.
Ghost in the Machine
Ghost, operating primarily from China, has been targeting internet-facing services riddled with unpatched security flaws—some of which date back several years.
The group’s activity first caught the attention of cybersecurity researchers in 2021, and their impact has since spread across more than 70 countries, including attacks within China itself.
This widespread assault highlights the ongoing risks posed by organizations failing to update and secure their digital infrastructure. Despite repeated warnings, many entities continue to leave exploitable gaps in their security, offering Ghost an open invitation to infiltrate their networks.
A Trail of Digital Devastation
According to the FBI and CISA, the ransomware gang focuses on vulnerabilities in:
- Fortinet Security Appliances – Older, unpatched Fortinet devices remain a common entry point.
- Adobe ColdFusion – Web application servers running outdated versions of ColdFusion have been a key target.
- Microsoft Exchange Servers – Systems still exposed to the ProxyShell attack chain remain highly vulnerable.
Ghost’s victims span a wide range of industries, including critical infrastructure, educational institutions, healthcare facilities, government networks, religious organizations, and technology and manufacturing companies.
Small- and medium-sized businesses (SMBs) have also suffered significant losses, with ransom demands reaching hundreds of thousands of dollars in some cases.
Fast and Ruthless: How Ghost Operates
Unlike more patient cybercriminal groups that spend weeks or months inside a compromised network, Ghost works at lightning speed. “Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” warns the FBI and CISA advisory.
In some cases, attackers have been observed moving from initial breach to full ransomware deployment within a single day. Once inside, they waste no time in locking down critical files and demanding hefty ransoms. Victims who fail to meet their demands often face data leaks or prolonged system outages.
The Tools of the Trade
Ghost relies on a well-established arsenal of hacking tools, including Cobalt Strike and Mimikatz, to escalate privileges and move laterally within a network. The ransomware itself appears under various names such as Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, disguising itself to evade detection.
However, their attack pattern has a notable weakness: they tend to move on when faced with robust defenses. Organizations that have implemented strong network segmentation and access controls significantly reduce their risk of being compromised.
Despite repeated cybersecurity warnings, many organizations continue to overlook fundamental security practices, leaving themselves vulnerable to avoidable attacks.
