Ghost Ransomware: The New Cyber Menace Targeting 70+ Countries

A new ransomware threat called Ghost (also known as Cring ransomware) is wreaking havoc in early 2025, prompting alerts from cybersecurity agencies.

The FBI and CISA issued a joint advisory in February 2025 warning of Ghost’s escalating attacks. This strain emerged in 2021 but has quickly grown into a global threat, breaching organizations in over 70 countries to date.

Security experts say Ghost’s rise reflects a cyberthreat landscape where ransomware evolution is taking place, and groups are more aggressive and technically skilled than ever.

Ghost ransomware attacks combine data encryption with cyber extortion tactics, making it one of the most dangerous threats today. Its latest wave has struck hospitals, factories, and government offices worldwide, underscoring a broader surge in ransomware attack trends.

Below, we break down what Ghost ransomware is doing, who’s behind it, and how you can improve your defenses against this new threat.

First off, Ghost’s victims span multiple industries, with a concentration in healthcare, energy, and financial services. From hospitals and clinics to power utilities and banks, no sector is off-limits.

The attackers have also hit critical infrastructure, government agencies, tech companies, schools, and manufacturing plants, but any organization running outdated systems is at heightened risk.

For instance, unpatched VPN servers and legacy applications in these sectors make inviting targets. One cybersecurity CEO noted that Ghost’s campaign exploits “patch fatigue” – overwhelmed IT teams struggling to keep up with endless vulnerabilities. This means even well-resourced industries can fall prey if they neglect timely updates.

Over 70 countries have reported Ghost ransomware attacks since 2021. The United States, Canada, and the United Kingdom are among the top targets, with incidents also observed in regions like Europe, Asia, and Australia. This worldwide reach sets Ghost apart.

If a network has a known vulnerability, Ghost is willing to exploit it. The group’s opportunistic strategy shows a reality that, in today’s ecosystem, a vulnerability on any internet-facing system – anywhere in the world – can invite a ransomware attack.

The attackers usually exploit well-known security vulnerabilities and then act fast to disable their target’s network. Here’s an overview of how Ghost carries out its attacks:

1. Ghost cybercriminals break in by exploiting vulnerabilities in public-facing systems. They scan for unpatched vulnerabilities in virtual private network (VPN) appliances, web servers, or email servers and take advantage of readily available exploits.
2. Once inside, Ghost quickly plants backdoors and expands its control. The attackers install web shells and launch tools like Cobalt Strike to maintain a stealthy presence. They then exploit additional weaknesses to gain administrator privileges, often creating new user accounts and disabling security software to solidify their foothold.
3. With admin-level access, the attackers spread to other systems on the network. Ghost quietly exfiltrates sensitive data to its own servers. Stealing this data gives the gang extra leverage – they threaten to leak or sell the information if the ransom isn’t paid (a double-extortion tactic now common among ransomware groups like Contiand LockBit).
4. Finally, Ghost deploys its ransomware payload (often named Ghost.exe or Cring.exe) across the network. Files on infected machines are scrambled and made unusable, backups are wiped out, and a ransom note appears on each system.

Ghost has been observed going from initial breach to full encryption in under 24 hours – far faster than gangs like Conti or LockBit that often linger for weeks before launching the final payload.

So, who exactly is behind Ghost ransomware? Well, all signs point to a financially motivated cybercriminal gang operating from China. While its tactics are aggressive, Ghost does not appear to be part of state-sponsored cyberattacks – it’s driven by profit rather than espionage.

(Unlike nation-state hackers who pursue cyber espionage threats, Ghost’s motive is pure extortion.) In fact, the FBI/CISA assessment explicitly notes that Ghost actors “conduct these widespread attacks for financial gain”.

Interestingly, this group has worn many masks on the dark web. Over time they’ve used a variety of names – Ghost, Cring, Crypt3r, Phantom, even “Hello” – to evade easy identification. They also rotate their ransom note formats and contact emails frequently. By constantly rebranding, Ghost makes it more difficult for authorities to pin down its activities as one group.

Once Ghost encrypts a victim’s data, the ransom demands follow a familiar cyber extortion playbook: a ransom note threatens permanent data loss (or public release of stolen files) unless payment is made. The attackers typically ask for payment in cryptocurrency (e.g. Bitcoin) to stay anonymous.

It’s hard to know exactly how much money Ghost ransomware typically demands from its victims because they use different names. Ghost often pressures victims through email to pay quickly. They promise to provide a decryption key after payment but also threaten to leak the victim’s data if they don’t pay.

Law enforcement and intelligence agencies worldwide are in a silent war against ransomware gangs like Ghost. In the U.S., initiatives like CISA’s #StopRansomwarecampaign publish detailed threat alerts to help organizations shore up defenses.

Governments are sharing intelligence and cooperating on takedowns where possible. For example, the U.S., U.K., and Australia recently jointly sanctioned a Russian hosting provider that aided ransomware operations – a sign of growing international teamwork against cybercriminal infrastructure.

Despite these efforts, bringing Ghost’s operators to justice remains extremely challenging. The hackers operate from within China, beyond the easy reach of Western law enforcement.

Unlike some ransomware rings that have been taken down in coordinated police stings, Ghost’s team enjoys a de facto safe haven. Agencies like the FBI and Interpol cannot simply arrest perpetrators on Chinese soil without cooperation.

Until Ghost can be directly dismantled, the priority for governments is strengthening everyone’s cyber defenses and closing the vulnerabilities this group exploits.

Every organization should have a ransomware attack prevention and incident response plan in place to protect against threats like Ghost. Here is a quick security blueprint to help stay protected:

1. Regularly back up your data and store copies offline (isolated from your network). This ensures you can recover files even if ransomware strikes. Test your backups periodically to make sure they work.
2. Ghost ransomware thrives on vulnerability exploitation of unpatched systems. Keep your operating systems, applications, and firmware updated. Prioritize patching known high-risk vulnerabilities (like VPN and email server vulnerabilities) before attackers exploit them.
3. Protect all user accounts, especially admin and remote access accounts, with MFA. Even if Ghost steals or guesses a password, MFA can block them from using it.
4. Break your network into isolated zones so that a compromise in one area doesn’t grant attackers free reign everywhere. Limit user privileges and network access rights to only what’s necessary. This containment strategy can stop Ghost’s lateral movement cold.
5. Use tools like EDR/XDR to continuously monitor for suspicious behavior (e.g. a sudden spike in encryption processes). Modern AI solutions can flag anomalies faster than humans.
6. Anti data exfiltration technology (like BlackFog’s AI-driven ADX platform) is emerging as the next logical step in ransomware defense, by stopping unauthorized data transfers before hackers can exploit them.
7. Even with precautions, breaches can happen. Have an incident security breach response playbook ready. If ransomware hits, isolate affected systems, secure backups, and engage your incident response team. Involve law enforcement as appropriate.

Finally, if you’re concerned about the rise in Ghost ransomware attacks, BlackFog’s ADX technology is built to block the data theft techniques used in these attacks.

Learn how BlackFog can help protect your organization by visiting BlackFog.com. There, you can explore the technology, request a demo, or check out our award-winning State of Ransomware blog for a detailed look at the ever-evolving ransomware landscape.