The current wave of ransomware attacks from the Chinese hacking operation known as Ghost infiltrates systems by exploiting vulnerabilities in organizational software. The Federal Bureau of Investigation warns that the hackers are primarily targeting outdated versions of software and firmware.
Ghost uses publicly available computer code to exploit security weaknesses in systems that have not been updated or patched, particularly in VPNs and firewalls. Unlike many other cybercriminal groups, Ghost’s attacks typically do not rely on phishing techniques, which have been the most notorious method of data compromises in recent years.
According to data from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), everything from healthcare networks to religious institutions in more than 70 countries has been compromised by these attacks. Despite their widespread nature, the overall damage has been fairly limited thus far.
The group’s ransom notes threaten to sell stolen data if the ransom is not paid. However, the hacks have not resulted in the removal of significant amounts of information, such as intellectual property or personally identifiable information (PII). The FBI reported that the typical data exfiltration is less than hundreds of gigabytes of data.
In addition, Ghost hackers usually spend only a few days attacking each victim network. If an attack is not immediately successful, they tend to move on to another target.
Protecting Organizations
To protect an organization’s data, the FBI recommends patching any known vulnerabilities, including applying all available security updates to operating systems, software, and firmware. They also emphasize the importance of network segmentation to restrict lateral movement from initially infected devices to other systems within the organization.
Maintaining regular system backups can also mitigate concerns about stolen data. Ghost ransomware attack victims with robust backup systems have generally been able to restore operations without needing to pay a ransom.
The FBI and CISA also discourage victims from paying the ransom, noting that it only emboldens attackers while providing no guarantee that the data will be returned.
Research from Trend Micro and Waratah Analytics found that less than 10% of victims of ransom attacks surveyed refuse to pay the ransom. But those who do pay often end up paying more than initially demanded.
