The Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center released an advisory on February 19, 2025, providing information on Ghost ransomware activity.

According to the advisory, “Ghost actors conduct these widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet facing services.” They use publicly available code to exploit Common Vulnerability Exposures (CVE) that have not been patched. The CVEs used by Ghost include CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.

The advisory urges organizations to:

1. Maintain regular system backups stored separately from the source systems, which cannot be altered or encrypted by potentially compromised network devices [CPG 2.R].
2. Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 2.F].
3. Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
4. Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.

The advisory details how Ghost (Cring) is gaining initial access, executing applications, escalating privileges, obtaining credentials, evading defenses, moving laterally, and exfiltrating data. It also provides indicators of compromise and email addresses used by the threat actors.

Patching continues to be a crucial block-and-tackle technique, and timely patching is critical for mitigating exploitation. Blocking known malicious emails is a proven tactic to mitigate access. Review the advisory to ensure the applicable patches have been applied and the malicious emails associated with Ghost have been blocked.