Banner

News

Article

The Ghost (Cring) ransomware threat, explained

Author(s):

Medical Economics Staff

Key Takeaways

  • Ghost ransomware exploits outdated software vulnerabilities, targeting critical infrastructure, including health care, government, and educational sectors.
  • Attackers use Cobalt Strike malware to infiltrate networks, steal credentials, and encrypt data, demanding significant ransoms.
SHOW MORE

U.S. agencies warn health care Industry of new ransomware threat.

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint cybersecurity advisory for U.S. organizations, including health care providers, about a growing ransomware threat known as Ghost, or Cring, ransomware.

Ghost, ransomware actors have targeted critical infrastructure in 70 counties, includin hospitals, universities, and government agencies, exploiting vulnerabilities in outdated software to infiltrate networks. Once inside, attackers deploy Cobalt Strike malware, steal credentials, disable security software, and encrypt data, demanding ransoms ranging from tens of thousands to hundreds of thousands of dollars.

Health care providers are especially vulnerable, as ransomware attacks can cripple patient care systems and expose sensitive medical records. The agencies recommend immediate action, including patching vulnerabilities, enabling phishing-resistant multi-factor authentication, securing offline backups, and segmenting networks to prevent lateral movement of attackers.

Authorities warn against paying ransoms, as there is no guarantee files will be restored. Organizations experiencing an attack should report incidents to federal agencies and seek cybersecurity assistance.

For more information and mitigation strategies, visit StopRansomware.gov.

Overview and History of Ghost (Cring) Ransomware

Ghost (Cring) ransomware emerged in early 2021, initially targeting organizations running outdated software and unpatched vulnerabilities. The ransomware group, believed to be operating out of China, conducts financially motivated cyberattacks across critical infrastructure, health care, education, government, and manufacturing sectors.

Early Attacks and Evolution

The first known Ghost ransomware attacks exploited a vulnerability in Fortinet FortiOS appliances to gain initial access to victim networks. By leveraging publicly available hacking tools and custom ransomware, Ghost actors encrypted systems and demanded ransom payments. These early attacks focused on Europe but later expanded to organizations worldwide.

Over time, Ghost ransomware evolved to incorporate new attack techniques. It began targeting Microsoft Exchange, Adobe ColdFusion servers, and unpatched SharePoint systems. The attackers became more sophisticated, using sophisticated malware, web shells, and privilege escalation tools to spread ransomware quickly after gaining access.

Recent Activity and Impact

By 2024 and 2025, Ghost ransomware had compromised networks in over 70 countries. Ghost actors use multiple ransom email addresses, change encryption methods, and regularly update malware payloads to evade detection.

Despite increased law enforcement efforts, Ghost ransomware remains an active and dangerous cyber threat, with attacks continuing against health care and critical infrastructure worldwide.

Key Takeaways for Health Care Organizations

Health care institutions remain a top target for ransomware attacks, as cybercriminals exploit outdated software, unpatched vulnerabilities, and weak security configurations. Ghost ransomware operators, believed to be based in China, have been targeting critical infrastructure, including hospitals, government networks, and educational institutions.

How Ghost Ransomware Works

Ghost actors gain initial access to networks by exploiting vulnerabilities in public-facing applications and outdated software, particularly Fortinet FortiOS appliances, Adobe ColdFusion servers, Microsoft Exchange and Sharepoint servers.

Once inside, attackers deploy a so-called "Cobalt Strike" malware, move laterally through networks, steal credentials, and encrypt files. In many cases, they disable antivirus software and delete system recovery options to increase the likelihood of a ransom payment.

Immediate Actions to Protect Health Care Systems

Health care organizations should act now to minimize their risk of ransomware attacks. Recommended security measures include:

  1. Backup Data Securely – Maintain regular, offline backups that are isolated from your network. This prevents attackers from encrypting both live and backup data.
  2. Patch Vulnerabilities Promptly – Apply security updates to all software, operating systems, and firmware.
  3. Segment Networks – Restrict lateral movement within the network to prevent an infected system from compromising an entire organization.
  4. Enable Multi-Factor Authentication (MFA) – Require phishing-resistant MFA for privileged accounts, email accounts, and remote access.

Potential Impact on Health Care Providers

  • Operational Disruptions – Hospitals and clinics risk system downtime, delaying patient care and administrative functions.
  • Patient Data Exposure – While Ghost ransomware actors primarily focus on financial extortion, there is a risk that electronic health records (EHRs) and personally identifiable information (PII) could be stolen and leaked.
  • Financial Losses – Ransom demands range from tens of thousands to hundreds of thousands of dollars, often requested in cryptocurrency.

What to Do If Infected

  • Do not pay the ransom. Payment does not guarantee file recovery and could encourage further attacks. The report reads: “The FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
  • Report the incident to the FBI’s Internet Crime Complaint Center (IC3) or CISA at report@cisa.gov.
  • Isolate affected systems immediately to contain the infection.
  • Engage cybersecurity professionals to assess damage and attempt recovery.

With health care organizations among the most targeted by ransomware groups, proactive cybersecurity defenses are critical. Regular updates, network segmentation, strong authentication protocols, and user training can significantly reduce the risk of a successful attack. The Ghost (Cring) ransomware threat is ongoing, and health care providers should act immediately to strengthen their security posture.

For more details, visit StopRansomware.gov for additional advisories and free resources.

Related Videos
Related Content
U.S. Food and Drug Administration controversial layoffs (FDA) © Tada Images - stock.adobe.com
February 21st 2025

FDA layoffs spark industry, lawmaker backlash over risks to patient safety

Ep. 51: Ransomware gangs with Ferhat Dikbiyik, of Black Kite
February 10th 2025

Ep. 51: Ransomware gangs with Ferhat Dikbiyik, of Black Kite

MRI cancer-screening tool receives FDA clearance: ©Romaset - stock.adobe.com
February 21st 2025

AI-powered MRI cancer-screening tool receives FDA clearance

Ep. 48: The top risks for medical practices in 2025 with Peter H. Reilly
January 20th 2025

Ep. 48: The top risks for medical practices in 2025 with Peter H. Reilly

Screen protectors limit viewing angles for HIPAA compliance: ©Tippapatt - stock.adobe.com
February 20th 2025

New privacy screen protectors launched to help practices stay HIPAA compliant

© Gorodenkoff - stock.adobe.com
February 19th 2025

Study calls for standardized goals of care notes in EHRs