Ghost (Cring) Ransomware Detection: The FBI, CISA, and Partners Warn of Increasing China-Backed Group’s Attacks for Financial Gain – Source: socprime.com

Increasing ransomware volumes, expanding hacker collectives, and record-breaking damage costs are redefining the cyber risk arena. The FBI, CISA, and partners have recently issued a joint cybersecurity alert warning the global cyber defender community of increasing Ghost (Cring) ransomware attacks aimed at financial gain. China-affiliated hackers have compromised organizations from multiple industries, including the critical infrastructure sector, across 70+ countries worldwide.

Detect Ghost (Cring) Ransomware Attacks

According to Sophos, ransomware recovery costs surged to $2.73M in 2024—nearly $1M more than in 2023. Given that ransomware attacks are expected to strike every 2 seconds by 2031, security professionals require a reliable source of detection content accompanied by advanced cyber defense technology to spot potential intrusions on time. 

SOC Prime Platform for collective cyber defense offers a broad set of detection rules addressing the ransomware threat, including the latest surge in Ghost (Cring) ransomware activity. Just press the Explore Detections button below and immediately drill down to Sigma rules collection to detect attacks described in the AA25-050A alert by CISA and partners. 

Explore Detections

All the rules are compatible with multiple SIEM, EDR, and Data Lake solutions and are mapped to the MITRE ATT&CK framework to streamline threat investigation. Additionally, the rules are enriched with extensive metadata, including CTI links, attack timelines, triage recommendations, and more. 

Finally, security experts might use Uncoder AI, the industry-first AI co-pilot for Detection Engineering, to instantly hunt for indicators of compromise provided in the AA25-050A alert by CISA and partners. Uncoder AI acts as an IOC packager, enabling cyber defenders to interpret IOCs and generate tailored hunting queries effortlessly. These queries can then be seamlessly integrated into their preferred SIEM or EDR systems for immediate execution. Previously exclusive to corporate clients, Uncoder AI is now available to individual researchers, providing full access to its powerful capabilities. Learn more.

Ghost (Cring) Ransomware Analysis

Defenders report a surge in attacks from China-backed APT groups, striving to increase cybersecurity awareness as global organizations brace for persistent cyber espionage and financially motivated threats. On February 19, 2025, the FBI, CISA, and MS-ISAC released a novel alert AA25-050A focused on the widespread Ghost (Cring) ransomware activity targeting organizations across 70+ countries, including China. 

Since early 2021, Ghost actors have been exploiting outdated software and firmware on internet-facing services, indiscriminately targeting vulnerable networks. Operating from China, attackers aim for financial gain, affecting healthcare, government, education, tech, manufacturing organizations, and other businesses in multiple industry verticals.

Ghost (Cring) ransomware group gains initial access by weaponizing public-facing apps tied to multiple CVEs, including flaws in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange (known as ProxyShell attack chain). Once inside, they upload a web shell and use Command Prompt or PowerShell to download and run Cobalt Strike Beacon malware. 

Adversaries prioritize speed over persistence, often deploying ransomware within a day of initial compromise. However, they occasionally create or modify local and domain accounts, change passwords, and deploy web shells on victim servers. For privilege escalation, they employ Cobalt Strike to steal process tokens and run Beacons with elevated SYSTEM privileges. They’ve also been seen leveraging open-source tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato—tools unlikely to be used by legitimate users.

Ghost ransomware operators use Cobalt Strike’s “hashdump” or Mimikatz to steal passwords for unauthorized logins, privilege escalation, and lateral movement. For defense evasion, they identify and disable antivirus software, frequently turning off Windows Defender with PowerShell commands. They also leverage tools like SharpShares, Ladon 911, and SharpNBTScan for network and remote system discovery. Using elevated access, attackers move laterally with WMIC and base64-encoded PowerShell commands to deploy Cobalt Strike Beacons in memory. If lateral movement fails, they often abandon the attack entirely. 

In addition, adversaries use ransomware executables like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which can encrypt specific directories or entire systems, depending on command-line arguments. These payloads exclude certain files and system folders to prevent making devices inoperable. They also clear Windows Event Logs, disable Volume Shadow Copy, and delete shadow copies to hinder recovery efforts. 

The group’s ransom notes often threaten to sell stolen data if ransoms go unpaid, however, attackers rarely exfiltrate large amounts of sensitive information. Data transfers are usually small, often under hundreds of gigabytes, with limited use of Cobalt Strike Team Servers, Mega.nz, and web shells for exfiltration. 

Ghost heavily relies on Cobalt Strike Beacons, using HTTP/HTTPS connections to direct IP addresses rather than registered domains. They communicate with victims via encrypted email services like Tutanota, ProtonMail, and Mailfence.

Defenders recommend following key cybersecurity practices to defend against Ghost (Cring) ransomware activity. These include maintaining regular offline backups, applying timely security patches, and segmenting networks to limit lateral movement. Organizations are also encouraged to implement phishing-resistant MFA for privileged accounts, train users to recognize phishing, and monitor PowerShell for unauthorized use. 

To minimize the risks of increasing Ghost (Cring) ransomware attacks, SOC Prine Platform for collective cyber defense equips security teams with a cutting-edge product suite to proactively defend against intrusions and adopt a resilient cybersecurity strategy that aligns with a next-gen SOC approach. To dive into advanced automation, real-time intelligence, and cutting-edge detection strategies for enterprise security tailored for the SOC of the future, register here for our exclusive upcoming webinar.