The FBI has recently released a joint advisory (in conjunction with the
Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing
and Analysis Center) on Ghost ransomware.1 The advisory explains:
Ghost actors use publicly available code to exploit Common Vulnerabilities
and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit
well known vulnerabilities and target networks where available patches have not been
applied.
The advisory notes that actors target indiscriminately based on known
vulnerable networks and that this has led to organizations across more than 70 countries
being impacted.
Unlike other cyber attacks that may target a specific entity or target, these
attacks depend on whether or not an organization has a vulnerable network. Once the
threat actor has gained access, ransomware is then deployed. Notably, the advisory
states that "Ghost actors tend to move to other targets when confronted with hardened
systems, such as those where proper network segmentation prevents lateral movement to
other devices."2
In this sense, Ghost ransomware attacks seem very impersonal and are all about
prioritizing convenience and financial gain for the perpetrator.
The Role of Patch Management
This type of attack underscores the importance of patch management
or ensuring that updates are routinely applied to correct vulnerabilities in
software and firmware. According to the National Institute of Standards and
Technology (NIST), enterprise patch management is defined as:3
The process of identifying, prioritizing, acquiring, installing,
and verifying the installation of patches, updates, and upgrades throughout an
organization.
Effective patch management requires a number of steps, the first
being the creation of a comprehensive asset inventory. Then, vulnerabilities must be
assessed and patches applied once they have been tested. Importantly, patches should
be vetted and approved prior to being applied, as unexpected problems can sometimes
accompany them (think of the faulty CrowdStrike update that left many organizations
temporarily unable to perform critical business functions).4 Once
deployed, ongoing monitoring is essential to identify new vulnerabilities.
Unfortunately, many organizations have gaps within these processes or apply them
irregularly.
Legacy Technology
Another complicating element to patch management is that
organizations often rely on legacy technology. Many organizations employ a complex
web of interconnected devices, varying in age and use. In my last article, I wrote
about third-party vendors and the need for continuous management and oversight. (See
Mark Lanterman, "Avoiding the 'Set-It-and-Forget-It' Mindset: Third-Party Vendors and Cyber Security,"
January 17, 2025.)
Just as existing third-party relationships can evade updated cyber
practices, so too can built-in legacy technology. Managing legacy systems is an
essential aspect of maintaining a strong security posture, as outdated or
unsupported technology can serve as the perfect entry point for cyber criminals.
The advisory urges organizations to immediately implement
mitigatory measures to counter Ghost actor attacks. Top of the list is an important
step in preparing for any type of ransomware attack: Keep backups and store them
elsewhere. This is a critical precaution in the event that access to data is
restricted following a successful attack. Applying security updates, network
segmentation, and multifactor authentication—among other practices—are also
recommended.
Conclusion
Unlike spear phishing campaigns that target specific groups, Ghost
ransomware highlights the fact that cyber criminals also prefer convenience. It
would seem that well-protected organizations with segmented networks are often "not
worth the trouble." Taking the extra steps to establish a reliable patch management
system and preparing for an attack by having regular backups can mitigate the
risk.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Footnotes
1 "#StopRansomware: Ghost (Cring)
Ransomware," Department of Justice, Federal Bureau of Investigation,
Cybersecurity & Infrastructure Security Agency, Multi-State Information Sharing
and Analysis Center, February 19, 2025.
3 "Enterprise Patch Management,"
National Institute of Standards and Technology, US Department of Commerce,
Information Technology Laboratory, Computer Security Resource Center, accessed
on March 21, 2025.
The FBI has recently released a joint advisory (in conjunction with the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center) on Ghost ransomware. 1 The advisory explains:
The advisory notes that actors target indiscriminately based on known vulnerable networks and that this has led to organizations across more than 70 countries being impacted.
Unlike other cyber attacks that may target a specific entity or target, these attacks depend on whether or not an organization has a vulnerable network. Once the threat actor has gained access, ransomware is then deployed. Notably, the advisory states that "Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral movement to other devices." 2
In this sense, Ghost ransomware attacks seem very impersonal and are all about prioritizing convenience and financial gain for the perpetrator.
The Role of Patch Management
This type of attack underscores the importance of patch management or ensuring that updates are routinely applied to correct vulnerabilities in software and firmware. According to the National Institute of Standards and Technology (NIST), enterprise patch management is defined as: 3
Effective patch management requires a number of steps, the first being the creation of a comprehensive asset inventory. Then, vulnerabilities must be assessed and patches applied once they have been tested. Importantly, patches should be vetted and approved prior to being applied, as unexpected problems can sometimes accompany them (think of the faulty CrowdStrike update that left many organizations temporarily unable to perform critical business functions). 4 Once deployed, ongoing monitoring is essential to identify new vulnerabilities. Unfortunately, many organizations have gaps within these processes or apply them irregularly.
Legacy Technology
Another complicating element to patch management is that organizations often rely on legacy technology. Many organizations employ a complex web of interconnected devices, varying in age and use. In my last article, I wrote about third-party vendors and the need for continuous management and oversight. (See Mark Lanterman, "Avoiding the 'Set-It-and-Forget-It' Mindset: Third-Party Vendors and Cyber Security," January 17, 2025.)
Just as existing third-party relationships can evade updated cyber practices, so too can built-in legacy technology. Managing legacy systems is an essential aspect of maintaining a strong security posture, as outdated or unsupported technology can serve as the perfect entry point for cyber criminals.
The advisory urges organizations to immediately implement mitigatory measures to counter Ghost actor attacks. Top of the list is an important step in preparing for any type of ransomware attack: Keep backups and store them elsewhere. This is a critical precaution in the event that access to data is restricted following a successful attack. Applying security updates, network segmentation, and multifactor authentication—among other practices—are also recommended.
Conclusion
Unlike spear phishing campaigns that target specific groups, Ghost ransomware highlights the fact that cyber criminals also prefer convenience. It would seem that well-protected organizations with segmented networks are often "not worth the trouble." Taking the extra steps to establish a reliable patch management system and preparing for an attack by having regular backups can mitigate the risk.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.