IRMI Online Talk With Us
Home Articles Expert Commentary A Scary Ghost: FBI Warning Highlights Need for Patch Management
Cyber and Privacy Risk and Insurance

A Scary Ghost: FBI Warning Highlights Need for Patch Management

Mark Lanterman | March 28, 2025

On This Page
blue and red skull on a computer monitor

The FBI has recently released a joint advisory (in conjunction with the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center) on Ghost ransomware. 1 The advisory explains:

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

The advisory notes that actors target indiscriminately based on known vulnerable networks and that this has led to organizations across more than 70 countries being impacted.

Unlike other cyber attacks that may target a specific entity or target, these attacks depend on whether or not an organization has a vulnerable network. Once the threat actor has gained access, ransomware is then deployed. Notably, the advisory states that "Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral movement to other devices." 2

In this sense, Ghost ransomware attacks seem very impersonal and are all about prioritizing convenience and financial gain for the perpetrator.

The Role of Patch Management

This type of attack underscores the importance of patch management or ensuring that updates are routinely applied to correct vulnerabilities in software and firmware. According to the National Institute of Standards and Technology (NIST), enterprise patch management is defined as: 3

The process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization.

Effective patch management requires a number of steps, the first being the creation of a comprehensive asset inventory. Then, vulnerabilities must be assessed and patches applied once they have been tested. Importantly, patches should be vetted and approved prior to being applied, as unexpected problems can sometimes accompany them (think of the faulty CrowdStrike update that left many organizations temporarily unable to perform critical business functions). 4 Once deployed, ongoing monitoring is essential to identify new vulnerabilities. Unfortunately, many organizations have gaps within these processes or apply them irregularly.

Legacy Technology

Another complicating element to patch management is that organizations often rely on legacy technology. Many organizations employ a complex web of interconnected devices, varying in age and use. In my last article, I wrote about third-party vendors and the need for continuous management and oversight. (See Mark Lanterman, "Avoiding the 'Set-It-and-Forget-It' Mindset: Third-Party Vendors and Cyber Security," January 17, 2025.)

Just as existing third-party relationships can evade updated cyber practices, so too can built-in legacy technology. Managing legacy systems is an essential aspect of maintaining a strong security posture, as outdated or unsupported technology can serve as the perfect entry point for cyber criminals.

The advisory urges organizations to immediately implement mitigatory measures to counter Ghost actor attacks. Top of the list is an important step in preparing for any type of ransomware attack: Keep backups and store them elsewhere. This is a critical precaution in the event that access to data is restricted following a successful attack. Applying security updates, network segmentation, and multifactor authentication—among other practices—are also recommended.

Conclusion

Unlike spear phishing campaigns that target specific groups, Ghost ransomware highlights the fact that cyber criminals also prefer convenience. It would seem that well-protected organizations with segmented networks are often "not worth the trouble." Taking the extra steps to establish a reliable patch management system and preparing for an attack by having regular backups can mitigate the risk.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Footnotes

1 "#StopRansomware: Ghost (Cring) Ransomware," Department of Justice, Federal Bureau of Investigation, Cybersecurity & Infrastructure Security Agency, Multi-State Information Sharing and Analysis Center, February 19, 2025.
2 "#StopRansomware: Ghost (Cring) Ransomware."
3 "Enterprise Patch Management," National Institute of Standards and Technology, US Department of Commerce, Information Technology Laboratory, Computer Security Resource Center, accessed on March 21, 2025.
IRMI Online