In February 2025, various U.S. cybersecurity agencies released an advisory about the Ghost (Cring) ransomware, which exploits outdated applications, affecting critical sectors such as healthcare and government. This group uses sophisticated tools and techniques to carry out attacks, culminating in ransomware deployment that encrypts files, varied based on the target. Affected: healthcare, critical infrastructure, government
Keypoints :
- The Ghost (Cring) ransomware group has been active since 2021.
- Initial access is gained by attacking public-facing applications with known vulnerabilities.
- Affected industries include healthcare, critical infrastructure, and government sectors.
- The group utilizes well-known tools such as Cobalt Strike and Mimikatz.
- Ransomware payloads are customizable depending on the victim.
MITRE Techniques :
- T1071 – Application Layer Protocol: The attackers use HTTP/S for communications with the command-and-control server.
- T1086 – PowerShell: PowerShell is used to stop services and promote lateral movement during the attack.
- T1003 – Credential Dumping: Tools like Mimikatz are utilized to extract credentials from the target systems.
- T1070 – Indicator Removal on Host: The ransomware stops backup services to mitigate the potential for recovery.
- T1486 – Data Encrypted for Impact: The final payload encrypts files with AES-256 and uses RSA for key management.
Indicator of Compromise :
- [File Name] HvTovz-README.txt
- [MD5] d1c5e7b8e937625891707f8b4b594314
- [Service] sql
- [Service] oracle
- [Service] veeam
Full Story: https://www.netskope.com/blog/analyzing-elysium-a-variant-of-the-ghost-cring-ransomware-family