Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
US agencies have released an advisory outlining the tactics, techniques, and procedures of a highly active Chinese ransomware group.
The FBI, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center have released an advisory outlining the activity and tactics of the Ghost ransomware group.
The Chinese hacking group has targeted organisations within China itself and in more than 70 other countries. Its victims include critical infrastructure entities, educational institutions, healthcare providers, and government agencies.
Ghost has been active since early 2021 and was the subject of an FBI investigation as recently as January 2025.
Access, execution, and persistence
Ghost has been observed taking advantage of several known vulnerabilities in internet-facing applications and appliances, including Fortinet FortiOS appliances, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange.
The gang initially uploads a web shell to compromised devices via PowerShell of the Windows Command Prompt before downloading and executing the commercially available pen-testing tool Cobalt Strike.
Ghost is not known to worry too much about maintaining persistence on a network, as its ransomware operations only take no more than a few days, and in some instances, the gang has been observed moving from initial penetration to ransomware deployment within 24 hours.
Escalation, credential harvesting, and evasion
Ghost utilises several open-source tools to escalate privileges on a compromised network, including SharpZeroLogon, SharpGPPPass, and BadPotato, as well as functions built into Cobalt Strike.
Cobalt Strike is again used to harvest passwords, though the gang has also been observed using Mimikatz. These credentials are then used for further unauthorised logins and to traverse other devices on the network.
Cobalt Strike is also used to identify any processes that may be linked to antivirus software, such as Windows Defender, in order to shut it down.
Discovery, exfiltration, and encryption
Typically, Ghost will use several tools for domain discovery, including open-source tools SharpShares, Ladon 911, and SharpNBTScan, as well as commands built into Cobalt Strike. The FBI also notes that the gang will call off an attack if it is unable to move laterally within a network.
When it comes to data exfiltration, Ghost tends to go low, often exfiltrating less than 100 gigabytes from victim networks. However, that data will be sold if no ransom payment is forthcoming. Exfiltration is via either Cobalt Strike servers or file-hosting site Mega.nz. The group is heavily reliant on Cobalt Strike for most of its command and control infrastructure.
Ghost uses several ransomware executables, including Ghost.exe, ElysiumO.exe, and Locker.exe. The gang’s variants can encrypt entire devices or specific directories and can exclude various system files to make sure a device can still be accessed. Windows Event Logs and shadow copies are deleted to make system recovery difficult.
“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the advisory said.
“Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral movement to other devices.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
