{
	"id": "b8cef56f-af20-4f36-a5f9-c62a988bc346",
	"created_at": "2026-04-06T01:31:51.998448Z",
	"updated_at": "2026-04-10T13:13:05.313988Z",
	"deleted_at": null,
	"sha1_hash": "dcb73b67a5192ac019362c234725d518a523f9ae",
	"title": "#StopRansomware: Ghost (Cring) Ransomware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 152952,
	"plain_text": "#StopRansomware: Ghost (Cring) Ransomware | CISA\r\nPublished: 2025-02-19 · Archived: 2026-04-06 00:56:19 UTC\r\n1. Maintain regular system backups stored separately from the source systems which cannot be altered or encrypted by\r\npotentially compromised network devices [CPG 2.R].\r\n2. Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within\r\na risk-informed timeframe [CPG 2.F].\r\n3. Common Vulnerabilities and Exposures (CVE): CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-\r\n34473, CVE-2021-34523, CVE-2021-31207.\r\n4. Segment networks to restrict lateral movement from initial infected devices and other devices in the same\r\norganization [CPG 2.F].\r\n5. Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.\r\nSummary\r\nNote: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network\r\ndefenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories\r\ninclude recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs)\r\nto help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to\r\nlearn more about other ransomware threats and no-cost resources.\r\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State\r\nInformation Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)\r\n—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.\r\nBeginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software\r\nand firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of\r\norganizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these\r\nwidespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare,\r\ngovernment networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.\r\nGhost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note\r\ntext, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names\r\nassociated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.\r\nSamples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.\r\nGhost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to\r\ninternet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not\r\nbeen applied.\r\nThe FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of\r\nthis advisory to reduce the likelihood and impact of Ghost ransomware incidents.\r\nDownload the PDF version of this report:\r\nFor a downloadable copy of IOCs, see:\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® Matrix for Enterprise framework, version 16.1. See the MITRE\r\nATT\u0026CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE\r\nATT\u0026CK tactics and techniques.\r\nInitial Access\r\nThe FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are\r\nassociated with multiple CVEs [T1190 ]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS\r\nappliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft\r\nSharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207—\r\ncommonly referred to as the ProxyShell attack chain).\r\nExecution\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a\r\nPage 1 of 8\n\nGhost actors have been observed uploading a web shell [T1505.003 ] to a compromised server and leveraging Windows\r\nCommand Prompt [T1059.003 ] and/or PowerShell [T1059.001 ] to download and execute Cobalt Strike Beacon\r\nmalware [T1105 ] that is then implanted on victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike\r\nis a commercially available adversary simulation tool often used for the purposes of testing an organization’s security\r\ncontrols.\r\nPersistence\r\nPersistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple\r\ninstances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same\r\nday. However, Ghost actors sporadically create new local [T1136.001 ] and domain accounts [T1136.002 ] and change\r\npasswords for existing accounts [T1098 ]. In 2024, Ghost actors were observed deploying web shells [T1505.003 ] on\r\nvictim web servers.\r\nPrivilege Escalation\r\nGhost actors often rely on built in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to\r\nimpersonate the SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges [T1134.001\r\n].\r\nGhost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation\r\n[T1068 ] such as “SharpZeroLogon ,” “SharpGPPPass,” “BadPotato ,” and “GodPotato .” These privilege escalation\r\ntools would not generally be used by individuals with legitimate access and credentials. \r\nSee Table 1 for a descriptive listing of tools.\r\nCredential Access\r\nGhost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003 ] to collect passwords and/or\r\npassword hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices.\r\nDefense Evasion\r\nGhost actors used their access through Cobalt Strike to display a list of running processes [T1057 ] to determine which\r\nantivirus software [T1518.001 ] is running so that it can be disabled [T1562.001 ]. Ghost frequently runs a command to\r\ndisable Windows Defender on network connected devices. Options used in this command are: Set-MpPreference -\r\nDisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning\r\n1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent\r\nNeverSend.\r\nDiscovery\r\nGhost actors have been observed using other built-in Cobalt Strike commands for domain account discovery [T1087.002 ],\r\nopen-source tools such as “SharpShares ” for network share discovery [T1135 ], and “Ladon 911 ” and\r\n“SharpNBTScan ” for remote systems discovery [T1018 ]. Network administrators would be unlikely to use these tools\r\nfor network share or remote systems discovery.\r\nLateral Movement\r\nGhost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) [T1047 ] to run\r\nPowerShell commands on additional systems on the victim network— often for the purpose of initiating additional Cobalt\r\nStrike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins\r\nwith: powershell -nop -w hidden -encodedcommand\r\nJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQB\r\n][T1564.003 ].\r\nThis string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and is involved with the\r\nexecution of Cobalt Strike in memory on the target machine.\r\nIn cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack\r\non a victim.\r\nExfiltration\r\nGhost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently\r\nexfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information\r\n(PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt\r\nStrike Team Servers [T1041 ]. Victims and other trusted third parties have reported limited uses of Mega.nz [T1567.002\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a\r\nPage 2 of 8\n\n] and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of\r\ngigabytes of data.\r\nCommand and Control\r\nGhost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2)\r\noperations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS)\r\n[T1071.001 ]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform\r\nresource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference\r\nthe C2 server’s IP address. For example, http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2\r\nserver’s IP address.\r\nFor email communication with victims, Ghost actors use legitimate email services that include traffic encryption features.\r\n[T1573 ] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail,\r\nOnionmail, and Mailfence.\r\nNote: Table 2 contains a list of Ghost ransom email addresses.\r\nImpact and Encryption\r\nGhost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share\r\nsimilar functionality. Ghost variants can be used to encrypt specific directories or the entire system’s storage [T1486 ]. The\r\nnature of executables’ operability is based on command line arguments used when executing the ransomware file. Various\r\nfile extensions and system folders are excluded during the encryption process to avoid encrypting files that would render\r\ntargeted devices inoperable.\r\nThese ransomware payloads clear Windows Event Logs [T1070.001 ], disable the Volume Shadow Copy Service, and\r\ndelete shadow copies to inhibit system recovery attempts [T1490 ]. Data encrypted with Ghost ransomware variants\r\ncannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand\r\nanywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software [T1486 ].\r\nThe impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other\r\ntargets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment\r\nto other devices.\r\nIndicators of Compromise (IOC)\r\nTable 1 lists several tools and applications Ghost actors have used for their operations. The use of these tools and\r\napplications on a network should be investigated further.\r\nNote: Authors of these tools generally state that they should not be used in illegal activity.\r\nTable 1: Tools Leveraged by Ghost Actors\r\nName Description Source\r\nCobalt Strike\r\nCobalt Strike is penetration testing\r\nsoftware. Ghost actors  use an\r\nunauthorized version of Cobalt Strike.\r\nN/A\r\nIOX\r\nOpen-source proxy, used to establish a\r\nreverse proxy to a Ghost C2 server from\r\nan internal victim device.\r\ngithub[.]com/EddieIvan01/iox\r\nSharpShares.exe\r\nSharpShares.exe is used to enumerate\r\naccessible network shares in a domain.\r\nGhost actors use this primarily for host\r\ndiscovery.\r\ngithub[.]com/mitchmoser/SharpShares\r\nSharpZeroLogon.exe\r\nSharpZeroLogon.exe attempts to\r\nexploit CVE-2020-1472 and is run against\r\na target Domain Controller.\r\ngithub[.]com/leitosama/SharpZeroLogon\r\nSharpGPPPass.exe\r\nSharpGPPPass.exe attempts to\r\nexploit CVE-2014-1812 and targets XML\r\nfiles created through Group Policy\r\nPreferences that may contain passwords.\r\nN/A\r\nSpnDump.exe SpnDump.exe is used to list service\r\nprincipal name identifiers, which Ghost\r\nN/A\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a\r\nPage 3 of 8\n\nName Description Source\r\nactors use for service and hostname\r\nenumeration.\r\nNBT.exe\r\nA compiled version of SharpNBTScan, a\r\nNetBIOS scanner. Ghost actors use this\r\ntool for hostname and IP address\r\nenumeration.\r\ngithub[.]com/BronzeTicket/SharpNBTScan\r\nBadPotato.exe\r\nBadPotato.exe is an exploitation tool used\r\nfor privilege escalation.\r\ngithub[.]com/BeichenDream/BadPotato\r\nGod.exe\r\nGod.exe is a compiled version of\r\nGodPotato and is used for privilege\r\nescalation.\r\ngithub[.]com/BeichenDream/GodPotato\r\nHFS (HTTP File\r\nServer)\r\nA portable web server program that\r\nGhost actors use to host files for remote\r\naccess and exfiltration.\r\nrejitto[.]com/hfs\r\nLadon 911\r\nA multifunctional scanning and\r\nexploitation tool, often used by Ghost\r\nactors with the MS17010 option to scan\r\nfor SMB vulnerabilities associated\r\nwith CVE-2017-0143 and CVE-2017-\r\n0144.\r\ngithub[.]com/k8gege/Ladon\r\nWeb Shell\r\nA backdoor installed on a web server that\r\nallows for the execution of commands and\r\nfacilitates persistent access.\r\nSlight variation of\r\ngithub[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx\r\nTable 2: MD5 File Hashes Associated with Ghost Ransomware Activity\r\nFile name MD5 File Hash\r\nCring.exe c5d712f82d5d37bb284acd4468ab3533\r\nGhost.exe\r\n34b3009590ec2d361f07cac320671410\r\nd9c019182d88290e5489cdf3b607f982\r\nElysiumO.exe\r\n29e44e8994197bdb0c2be6fc5dfc15c2\r\nc9e35b5c1dc8856da25965b385a26ec4\r\nd1c5e7b8e937625891707f8b4b594314\r\nLocker.exe ef6a213f59f3fbee2894bd6734bbaed2\r\niex.txt, pro.txt (IOX) ac58a214ce7deb3a578c10b97f93d9c3\r\nx86.log (IOX)\r\nc3b8f6d102393b4542e9f951c9435255\r\n0a5c4ad3ec240fbfd00bdc1d36bd54eb\r\nsp.txt (IOX) ff52fdf84448277b1bc121f592f753c5\r\nmain.txt (IOX) a2fd181f57548c215ac6891d000ec6b9\r\nisx.txt (IOX) 625bd7275e1892eac50a22f8b4a6355d\r\nsock.txt (IOX) db38ef2e3d4d8cb785df48f458b35090\r\nRansom Email Addresses\r\nTable 3 is a subset of ransom email addresses that have been included in Ghost ransom notes.\r\nTable 3: Ransom Email Addresses\r\nEmail Addresses\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a\r\nPage 4 of 8\n\nEmail Addresses\r\nasauribe@tutanota.com ghostbackup@skiff.com rainbowforever@tutanota.com\r\ncringghost@skiff.com ghosts1337@skiff.com retryit1998@mailfence.com\r\ncrptbackup@skiff.com ghosts1337@tuta.io retryit1998@tutamail.com\r\nd3crypt@onionmail.org ghostsbackup@skiff.com rsacrpthelp@skiff.com\r\nd3svc@tuta.io hsharada@skiff.com rsahelp@protonmail.com\r\neternalnightmare@tutanota.com just4money@tutanota.com sdghost@onionmail.org\r\nevilcorp@skiff.com kellyreiff@tutanota.com shadowghost@skiff.com\r\nfileunlock@onionmail.org kev1npt@tuta.io shadowghosts@tutanota.com\r\nfortihooks@protonmail.com lockhelp1998@skiff.com summerkiller@mailfence.com\r\ngenesis1337@tutanota.com r.heisler@skiff.com summerkiller@tutanota.com\r\nghost1998@tutamail.com rainbowforever@skiff.com webroothooks@tutanota.com\r\nRansom Notes\r\nStarting approximately in August 2024, Ghost actors began using TOX IDs in ransom notes as an alternative method for\r\ncommunicating with victims. For\r\nexample: EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA\r\nand E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B.\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nSee Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping\r\nmalicious cyber activity to the MITRE ATT\u0026CK framework, version 16.1, see CISA and MITRE ATT\u0026CK’s Best Practices\r\nfor MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nTable 4: Initial Access\r\nTechnique Title  ID Use\r\nExploit Public-Facing\r\nApplication\r\nT1190 Ghost actors exploit multiple vulnerabilities in public-facing systems to gain\r\ninitial access to servers.\r\nTable 5: Execution\r\nTechnique Title  ID Use\r\nWindows Management\r\nInstrumentation\r\nT1047\r\nGhost actors abuse WMI to run PowerShell scripts on other devices,\r\nresulting in their infection with Cobalt Strike Beacon malware.\r\nPowerShell\r\nT1059.001 Ghost actors use PowerShell for various functions including to deploy\r\nCobalt Strike.\r\nWindows Command Shell\r\nT1059.003 Ghost actors use the Windows Command Shell to download malicious\r\ncontent on to victim servers.\r\nTable 6: Persistence\r\nTechnique Title  ID Use\r\nAccount\r\nManipulation\r\nT1098 Ghost actors change passwords for already established accounts.\r\nLocal Account\r\nT1136.001\r\nGhost actors create new accounts or makes modifications to local accounts.\r\nDomain Account\r\nT1136.002\r\nGhost actors create new accounts or makes modifications to domain accounts.\r\nWeb Shell\r\nT1505.003 Ghost actors upload web shells to victim servers to gain access and for\r\npersistence.\r\nTable 7: Privilege Escalation\r\nTechnique Title  ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a\r\nPage 5 of 8\n\nTechnique Title  ID Use\r\nExploitation for Privilege\r\nEscalation\r\nT1068\r\nGhost actors use a suite of open source tools in an attempt to gain\r\nelevated privileges through exploitation of vulnerabilities.\r\nToken Impersonation/Theft\r\nT1134.001 Ghost actors use Cobalt Strike to steal process tokens of processes\r\nrunning at a higher privilege.\r\nTable 8: Defense Evasion\r\nTechnique Title  ID Use\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nT1071.001 Ghost actors use HTTP and HTTPS protocols while conducting C2\r\noperations. \r\nImpair Defenses: Disable or\r\nModify Tools\r\nT1562.001\r\nGhost actors disable antivirus products.\r\nHidden Window\r\nT1564.003 Ghost actors use PowerShell to conceal malicious content within\r\nlegitimate appearing command windows.\r\nTable 9: Credential Access\r\nTechnique Title  ID Use\r\nOS Credential\r\nDumping\r\nT1003 Ghost actors use Mimikatz and the Cobalt Strike “hashdump” command to collect\r\npasswords and password hashes.\r\nTable 10: Discovery\r\nTechnique Title  ID Use\r\nRemote System\r\nDiscovery\r\nT1018\r\nGhost actors use tools like Ladon 911 and ShapNBTScan for remote systems\r\ndiscovery.\r\nProcess Discovery T1057 Ghost actors run a ps command to list running processes on an infected device.\r\nDomain Account\r\nDiscovery\r\nT1087.002 Ghost actors run commands such as net group “Domain Admins” /domain to\r\ndiscover a list of domain administrator accounts.\r\nNetwork Share\r\nDiscovery\r\nT1135\r\nGhost actors use various tools for network share discovery for the purpose of\r\nhost enumeration.\r\nSoftware Discovery T1518 Ghost actors use their access to determine which antivirus software is running.\r\nSecurity Software\r\nDiscovery\r\nT1518.001\r\nGhost actors run Cobalt Strike to enumerate running antivirus software.\r\nTable 11: Exfiltration\r\nTechnique Title  ID Use\r\nExfiltration Over C2\r\nChannel\r\nT1041 Ghost actors use both web shells and Cobalt Strike to exfiltrate limited data.\r\nExfiltration to Cloud\r\nStorage\r\nT1567.002 Ghost actors sometimes use legitimate cloud storage providers such\r\nas Mega.nz for malicious exfiltration operations.\r\nTable 12: Command and Control\r\nTechnique\r\nTitle \r\nID Use\r\nWeb Protocols\r\nT1071.001 Ghost actors use Cobalt Strike Beacon malware and Cobalt Strike Team Servers\r\nwhich communicate over HTTP and HTTPS.\r\nIngress Tool\r\nTransfer\r\nT1105\r\nGhost actors use Cobalt Strike Beacon malware to deliver ransomware payloads to\r\nvictim servers.\r\nStandard\r\nEncoding\r\nT1132.001 Ghost actors use PowerShell commands to encode network traffic which reduces\r\ntheir likelihood of being detected during lateral movement.\r\nEncrypted\r\nChannel\r\nT1573 Ghost actors use encrypted email platforms to facilitate communications. \r\nTable 13: Impact\r\nTechnique Title  ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a\r\nPage 6 of 8\n\nTechnique Title  ID Use\r\nData Encrypted for\r\nImpact\r\nT1486 Ghost actors use ransomware variants Cring.exe, Ghost.exe, ElysiumO.exe,\r\nand Locker.exe to encrypt victim files for ransom.\r\nInhibit System\r\nRecovery\r\nT1490\r\nGhost actors delete volume shadow copies.\r\nMitigations\r\nThe FBI, CISA, and MS-ISAC recommend organizations reference their #StopRansomware Guide and implement the\r\nmitigations below to improve cybersecurity posture on the basis of the Ghost ransomware activity. These mitigations align\r\nwith the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards\r\nand Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all\r\norganizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect\r\nagainst the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more\r\ninformation on the CPGs, including additional recommended baseline protections.\r\nMaintain regular system backups that are known-good and stored offline or are segmented from source systems\r\n[CPG 2.R]. Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to\r\nrestore operations without needing to contact Ghost actors or pay a ransom.\r\nPatch known vulnerabilities by applying timely security updates to operating systems, software, and firmware\r\nwithin a risk-informed timeframe [CPG 1.E].\r\nSegment networks to restrict lateral movement from initial infected devices and other devices in the same\r\norganization [CPG 2.F].\r\nRequire Phishing-Resistant MFA for access to all privileged accounts and email services accounts.\r\nTrain users to recognize phishing attempts.\r\nMonitor for unauthorized use of PowerShell. Ghost actors leverage PowerShell for malicious purposes,\r\nalthough it is often a helpful tool that is used by administrators and defenders to manage system resources.\r\nFor more information, visit NSA and CISA’s joint guidance on PowerShell best practices.\r\nImplement the principle of least privilege when granting permissions so that employees who require access to\r\nPowerShell are aligned with organizational business requirements.\r\nImplement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access\r\n[CPG 3.A].\r\nIdentify, alert on, and investigate abnormal network activity. Ransomware activity generates unusual network\r\ntraffic across all phases of the attack chain. This includes running scans to discover other network connected\r\ndevices, running commands to list, add, or alter administrator accounts, using PowerShell to download and\r\nexecute remote programs, and running scripts not usually seen on a network. Organizations that can\r\nsuccessfully identify and investigate this activity are better able to interrupt malicious activity before\r\nransomware is executed [CPG 3.A].\r\nGhost actors run a significant number of commands, scripts, and programs that IT administrators would have\r\nno legitimate reason for running. Victims who have identified and responded to this unusual behavior have\r\nsuccessfully prevented Ghost ransomware attacks.\r\nLimit exposure of services by disabling unused ports such as, RDP 3398, FTP 21, and SMB 445, and restricting\r\naccess to essential services through securely configured VPNs or firewalls.\r\nEnhance email security by implementing advanced filtering, blocking malicious attachments, and enabling\r\nDMARC, DKIM, and SPF to prevent spoofing [CPG 2.M].\r\nValidate Security Controls\r\nIn addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your\r\norganization’s security program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise framework in\r\nthis advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Table 3 to Table 13).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by this\r\nprocess.\r\nReporting\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a\r\nPage 7 of 8\n\nYour organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If,\r\nafter reviewing the information provided, your organization decides to provide information to the FBI, reporting must be\r\nconsistent with applicable state and federal laws.\r\nThe FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP\r\naddresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files.\r\nAdditional details of interest include a targeted company point of contact, status and scope of infection, estimated loss,\r\noperational impact, date of infection, date detected, initial attack vector, and host and network-based indicators.\r\nThe FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files will be\r\nrecovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other\r\ncriminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your\r\norganization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI’s\r\nInternet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its\r\n24/7 Operations Center (report@cisa.gov ) or by calling 1-844-Say-CISA (1-844-729-2472).\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do\r\nnot endorse any commercial entity, product, company, or service, including any entities, products, or services linked within\r\nthis document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark,\r\nmanufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and\r\nthe MS-ISAC.\r\nVersion History\r\nFebruary 19, 2025: Initial version.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a"
	],
	"report_names": [
		"aa25-050a"
	],
	"threat_actors": [],
	"ts_created_at": 1775439111,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dcb73b67a5192ac019362c234725d518a523f9ae.pdf",
		"text": "https://archive.orkl.eu/dcb73b67a5192ac019362c234725d518a523f9ae.txt",
		"img": "https://archive.orkl.eu/dcb73b67a5192ac019362c234725d518a523f9ae.jpg"
	}
}