The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)— (“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025. Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware.
This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.
Read more…
Source: U.S. Federal Bureau of Investigation Cyber Division
Related:
- FBI: Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure
August 20, 2025
The Federal Bureau of Investigation (FBI) is warning the public, private sector, and international community of the threat posed to computer networks and critical infrastructure by cyber actors attributed to the Russian Federal Security Service’s (FSB) Center 16. The FBI detected Russian FSB cyber actors exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running ...
- Pharma giant Inotiv hit by ransomware attack, says operations were affected
August 19, 2025
Inotiv, an American pharmaceutical and biotech company, has confirmed it has suffered a ransomware attack which forced it to shut down parts of its IT infrastructure. In a report filed with the US Securities and Exchange Commission (SEC), the company said it spotted the attack on August 8, 2025. The initial investigation determined that someone broke ...
- Deep dive into CVE‑2025‑29824 in Windows
August 19, 2025
On April 8, 2025, Microsoft patched 121 vulnerabilities across its products, including CVE-2025-29824—the only one known to be exploited in the wild. This particular flaw enabled adversaries to escalate Windows privileges by leveraging a bug in the clfs.sys driver. Microsoft Threat Intelligence discovered the issue during the Storm-2460 attacks targeting organizations in Saudi Arabia, Spain, Venezuela, ...
- US spy chief says UK has dropped its Apple backdoor demand
August 19, 2025
The U.K has dropped its demand for special access to Apple’s cloud systems, or a “backdoor,” following negotiations with the Trump administration, according to U.S. National Intelligence Director Tulsi Gabbard. “As a result, the U.K. has agreed to drop its mandate for Apple to provide a ‘back door’ that would have enabled access to the protected ...
- Workday hit by data breach targeting CRM systems
August 18, 2025
The US company was affected by a social engineering campaign that bears similarities to a recent wave of attacks by extortion group ShinyHunters. Enterprise software company Workday recently suffered a data breach after threat actors targeted a third-party customer relationship management (CRM) platform. According to a blogpost by the US company on Friday (15 August), threat ...
- FBI: Fictitious Law Firms Targeting Cryptocurrency Scam Victims Combine Multiple Exploitation Tactics While Offering to Recover Funds
August 13, 2025
This updated advisory provides additional red flag indicators and due diligence measures to help victims who have been in contact with fictitious law firms conducting this fraudulent activity. This scheme combines a number of exploitation tactics including targeting vulnerable populations, particularly the elderly; exploiting victims’ emotional state and financial need to recover funds from a previous ...