Attacks are more focused on encryption than exfiltration: The Ghost attackers have sometimes exfiltrated data back to their Cobalt Strike Team servers or to the Mega.nz file-sharing service, but this has been rare and the amount of information stolen has been limited.According to FBI investigations, the group doesn’t regularly exfiltrate intellectual property or personally identifiable information (PII) that would cause significant harm to victims like other ransomware groups do. This lack of focus on data theft as a double extortion tactic explains why the group doesn’t bother setting up malware persistence mechanisms for a long-term presence on victim networks.When it comes to encrypting data, the group has used multiple ransomware executables over time, including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. These have similar functionality and their features are controlled with command line arguments when executed.In addition to encrypting files, the Ghost ransomware will clear the Windows Event Logs, delete volume shadow copies that could allow restoring files, and disable the Volume Shadow Copy Service. The attackers will also scan for and disable antivirus products running on the system.The encryption algorithms used are strong, and the encrypted data cannot be recovered without the decryption key held by the attackers. However, the impact will differ from victim to victim because the Ghost attackers will not spend too much time trying to compromise a large number of devices on networks where it’s too difficult to do so. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral movement to other devices,” CISA said.The joint FBI, CISA, and MS-ISAC advisory contains indicators of compromise, including domain names, file hashes, email addresses, and MITRE ATT&CK TTPs, as well as security recommendations for organizations to protect themselves against Ghost attacks and ransomware in general.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3830549/fbi-and-cisa-warn-about-continuing-attacks-by-chinese-ransomware-group-ghost.html
