Chinese Ghost Hackers Driven By Profit Making America Pay

pByDavey WinderppppByDavey Winderpp Senior Contributor ppGhost ransomware hackers strike in 70 countriesppThere are two types of scumbag in the cybercrime world those who pick on vulnerable individuals to perpetrate their fraud and those who target healthcare in search of illicit financial gains The latter are thankfully much rarer than the former However hospitals have been on the ransomware and hacking radar before now and I have had the disheartening task of reporting on them The New York Blood Center attack a million patient records exfiltrated by hackers and even an FBI warning regarding patient hardware backdoors Now a new threat intelligence report has revealed how financially motivated Chinese cybercriminals are targeting government offices the energy sector factories financial services and yes hospitals across the globe However North America and the UK have been most attacked by the Ghost ransomware hackersppAccording to a new report from Rebecca Harpur at Blackfog the Ghost threat campaigns are operated by a financially motivated group from China and dont have any known state affiliations These attacks are Hurpur said driven by profit rather than espionage Its also known that Ghost has gone by many other names over the years before ending up at this one Cring Crypt3r and Hello as well as a closely related Phantom moniker By constantly rebranding Harpur explained Ghost makes it more difficult for authorities to pin down its activities as one groupppThis hasnt however stopped the Cybersecurity and Infrastructure Security Agency and the FBI from issuing a joint advisory warning of the dangers that Ghost presents to organizations across more than 70 countries Those compromises all follow a familiar playbook the Blackfog threat intelligence report warned a ransom note threatens permanent data loss or public release of stolen files unless payment is madeppWhen it comes to the Ghost attacks themselves the bulletpoint methodology explained by Blackfog is as followsppInitial access is by way of publicfacing systems through unpatched vulnerability exploitation These include virtual private network appliances as well as web and email serversppGhost then installs a backdoor by way of web shells and tools such as Cobalt Strike to maintain stealthy access The attackers often create new user accounts and disable security software having escalated system privilegesppWith this adminlevel access the attackers spread to other systems on the network and quietly exfiltrates sensitive data to its own serversppFinally Ghost deploys its ransomware payload often named Ghostexe or Cringexe across the network Files on infected machines are scrambled and made unusable Blackfog warned backups are wiped out and a ransom note appears on each systemppYou can refer to the previously mentioned FBI advisory for detailed Ghost mitigation recommendations but in the meantime heres the quick Ghost cybersecurity blueprint as provided by Blackfogp