Research

New Insights on the Ghost Ransomware Gang and their Peculiar Success

This cyber threat intelligence investigation hunts ghosts - seeking to answer why the Ghost/Cring ransomware gang is so successful at eluding security researchers and being profitable, especially when they avoid phishing in favor of targeting known-vulnerabilities in internet-facing systems.

SirPicklJohn
· 24 min read
Send by email

This cyber threat intelligence investigation hunts ghosts - seeking to answer why the Ghost/Cring ransomware gang is so successful at eluding security researchers and being profitable, especially when they avoid phishing in favor of targeting known-vulnerabilities in internet-facing systems.

Created by SirPicklJohn (Ayden Parsons)

Why is Ghost Successful?

A deep-dive into the Ghost/Cring ransomware group.

Connect with me!

CONNECT

"DontCry :)" - Text found in a Ghost ransomware executable

Why is the Ghost Ransomware Gang, in particular, so successful?

Introduction

I'm proud to present you with extensive insights and information, including original findings not included in the latest FBI/CISA/MS-ISAC advisory, on the Ghost/Cring ransomware gang! While reading articles on the group, I had one burning question that formed the basis of my following investigation:

Why is the Ghost ransomware gang, in particular, so effective and successful, especially if they are only exploiting old, known vulnerabilities?

For context, on February 19th, 2025, the FBI and CISA released a joint cybersecurity advisory on the Ghost (also known as Cring) ransomware gang (linked here). Reports and news articles say that Ghost has victims in over 70 countries, specifically exploits internet-facing applications/devices with known and unpatched vulnerabilities (some over a decade old!), and is also known as Cring, Cring Hand, RSA Virus, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture (you will see why this group goes by so many different names - attribution has been incredibly difficult).

For the most intriguing and important part of my investigation, skip to the "What Makes Ghost Uniquely Successful?" section.

What Does Ghost Do Differently? How Does It Compare To Other Gangs?

First, Ghost has some direct contradictions to the typical tactics, techniques, and procedures (TTPs) of other modern ransomware gangs:

  • Limited Data Exfiltration: Ghost threatens double-extortion (i.e., ransoming and threatening to leak stolen data), but there is no evidence suggesting that they actually exfiltrate that much data. When Ghost exfiltrates data, it has reportedly always been under 100 gigabytes (which, considering the amount of data that modern companies routinely store and process now, is not much). It is common behavior for ransomware gangs to regularly exfiltrate and leak terabytes of data, and sometimes, they even threaten triple extortion (which involves making threats directly to the end-users [students, patients, parents, etc.] who have had their data compromised in order to put pressure on the compromised organization to pay the ransom). However, Ghost primarily focuses on encrypting and ransoming their victims' data, targeting networks with less-robust security mechanisms, and severely impeding the victim's ability to defend, respond to, and recover from the attack.
  • Inconsistency and Fluidity: Ghost does not limit itself to a set of defined ransomware payloads, file extensions, ransom notes, or ransom contact email addresses. Ghost has used the Cring.exe, Ghost.exe, Elysium0.exe, Elysium.exe, ip.txt (disguised EXE), NoNet.txt (disguised EXE), and Locker.exe executable ransomware payloads before, at least 9-26+ different encrypted file extensions, at least 9 different ransom notes, and at least 41 different email addresses used to contact them. See the "Aggregated IoCs" section at the end of this report for these lists.
  • Minimal and Short Persistence, If Any At All: The FBI/CISA report detailed that "[p]ersistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day". While this led me to believe that Ghost was very unique for this speed, the "Time-To-Ransom" (TTR) measurement (i.e., the time it takes ransomware operators to deploy ransomware after initially gaining access) has actually been dropping among ransomware groups over the past few years. Thus, while Ghost is not particularly fast or slow when comparing their TTR with higher-profile ransomware gangs (which is a hard comparison to make, particularly as the FBI/CISA report does not give specific statistics, and interpreting those statistics definitively is difficult or impossible), it is still massively useful for security personnel to know that ransomware is trending towards ultra-low (<2 days) TTRs.
    • Statistics to Support This: From 2022-2023, a frequently-cited Secureworks/Sophos report found that the median dwell time of ransomware operators had dropped from 4.5 days to just 1 day, with 10% of cases showing an even smaller dwell time of only five hours (linked source). Throughout 2024, Huntress Labs found that the average TTR of ransomware groups was 16.88 hours (ranging from an average of 4.22 to 43.42 hours, up to preference of the group as to whether they liked a more slow and deliberate or rapid smash-and-grab approach) (article link, direct PDF link).
  • Lack of Domain Registration: Ghost is not known to register domains, and instead directly hardcode their C2 server's address in their payloads to download and execute Cobalt Strike Beacon malware. This is likely due to the short-lived nature/TTR of Ghost's operations, the desire to not leave a digital footprint, and the fact that Ghost does not typically use social engineering attacks or lookalike phishing domains to compromise its victims.
  • Specifically Exploiting Known Vulnerabilities in Public-Facing Applications and Devices: While the earliest ransomware payloads from Cring (before it was known as Ghost) sometimes used phishing-based methods of delivery, at least according to old and potentially unreliable or generalized forums, the FBI and CISA have found that Ghost rarely uses social engineering or phishing tactics that are ubiquitous amongst cybercriminals and ransomware operators. Ghost strongly prefers to only target known, unpatched vulnerabilities in public-facing applications and devices, such as firewalls, RDP (port 3398), FortiGate VPN gateways, SMB (port 445), FTP (port 21), and end-of-life ColdFusion servers. The following CVE's are known to be exploited by Ghost:

What Makes Ghost Uniquely Successful?

This part of the report formed the crux of my investigation, where I not only sought to answer why Ghost was successful in terms of executing attacks and making a profit, but also in evading detection and making it hard to attribute activity to them - remember, this nebulous gang is known by eleven different names, and there still is a lot that isn't known about them!

My investigation suggested that all of the following factors, especially when working in tandem with each other, massively contribute to Ghost's success in both their profitability and their ability to give researchers and prosecutors a headache:

  • Threatening double-extortion, while not actually exfiltrating that much data
  • "Moving quickly" by taking mere hours or days to complete infiltration, privilege escalation and lateral movement, and final ransomware deployment
  • Tailoring attacks and demands to the victim
  • Demanding "reasonable" amounts of cryptocurrency equating to tens to hundreds of thousands of dollars
  • Heavily utilizing Cobalt Strike, open-source tools, and native Windows/PowerShell tools and commands
  • Short, minimal, or no persistence
  • Lack of domain registration
  • Defense evasion, disablement, and impersonation, combined with LOTL
  • Anti-forensics and anti-system-recovery
  • Anti-debugging/anti-reverse engineering
  • Inconsistency and fluidity
  • Communication via encrypted email services and TOX (P2P, end-to-end encrypted messaging/video)
  • Specific targeting:
    • Public-facing applications and devices
    • Critical infrastructure, schools and universities, healthcare, government, religious institutions, technology and manufacturing, and SMBs
    • Avoiding hardened systems, and moving on when segmented networks are encountered that impede lateral movement
  • Imitating/being imitated by other ransomware groups

Inconsistency and Fluidity + Imitating (or Being Imitated By?) Other Ransomware

The primary differentiator for Ghost that I immediately noticed was their deliberate inconsistency and rotation of the key elements in their attack chain (having used at least 5 different payloads, 9-26+ encrypted file extensions, 9 different ransom notes, and 41 different email addresses to contact them). This cripples the ability of security professionals to use hashes in their detection mechanisms, and has led to major difficulties in actually tracking and attributing Ghost's attack activity.

To highlight this, see the following screenshot of the thought process of the "discoverer" of Ghost/Cring, Amigo-A (Andrew Ivanov):

Also note the comparison to the Parasite ransomware. Parallels between the two threat actors are as follows (do note that there are likely several errors or "best guesses" made in these analyses. I am including this information to highlight the challenges that have been experienced in attributing activity to Ghost):

  • Using Tutanota encrypted emails for communication with clients (as well as several cock.li addresses).
  • Deleting volume shadow copies.
  • One particular infection used the .vjiszy1lo extension for encrypted files and had a ransom (labelled "HOW_CAN_GET_FILES_BACK.txt") with two emails used by Ghost.
  • This blog post (see image below) and this article by Amigo-A, which links several ransom note filenames and several extensions that Ghost is known to use to Parasite.
  • The ransomware recovery company Elastio linked the .phantom extension, the "HOW_CAN_GET_FILES_BACK.txt/rtf" ransom note names, "Ghost.exe", and several emails to both Parasite and Ghost (see this link for Elastio's page on Parasite, and this link for the page on Ghost). There are likely errors or a lack of verification in Elastio's assessment, and I suspect they referenced Amigo-A's research/the BleepingComputer forum posts referenced throughout this article.
  • These groups developed around the same time (Ghost emerged in December 2020, while Parasite is believed to have emerged January 2021).

Some possible explanations for these parallels are as follows:

  • The researchers above could have made mistakes or didn't verify their sources before making these claims.
  • Ghost could have links to Parasite, or they could be the same threat actor.
  • Ghost and/or Parasite may have purposefully adopted some of the tactics/attributes of the other in order to make attribution harder.

Again, I include this information only to highlight the observed challenges in definitively attributing activity to Ghost.

Defense Evasion, Defense Deactivation, and Tool Choice (Including LOTL)

Another strong component of Ghost's success lies in their strong defense-evasion techniques. They use encoded PowerShell commands, Windows Command Shell commands, and the Windows Management Interface (WMI), which are all built-in to Windows systems and are commonly used for IT administration. Additionally, legitimate services like SMB and RDP are abused.

Ghost also heavily relies on Cobalt Strike (which uses HTTP/HTTPS and can blend in with legitimate traffic) and the following set of open source tools:

  • IOX - Used as an open-source reverse proxy to a Ghost C2 server from a victim device on the network.
  • Exploitation and Lateral Movement:
  • Enumeration:
    • SharpShares.exe
    • SpnDump.exe
    • NBT.exe
  • Privilege Escalation:
    • SharpZeroLogon.exe - Used to exploit CVE-2020-1472 (escalation of privilege using MS-NRPC) against a Domain Controller.
    • SharpGPPPass.exe - Attempts to exploit CVE-2014-1812
    • BadPotato.exe
    • God.exe (GodPotato)
  • Persistence:
    • Web Shell - Executes commands and facilitates persistent access
  • Exfiltration:

A common Ghost attack chain will include using Cobalt Strike to display a list of all running processes, using that to determine a running antivirus solution on the system, and then using a PowerShell command like the following to disable it (in this case, Windows Defender is being disabled):
Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.

However, what about EDR, IDPS, and SIEM? According to an analysis by Vectra.ai (linked here), Ghost's fast operation/TTR, abuse of legitimate applications, lack of long-term persistence, and other detection evasion methods are sufficient enough to bypass known attack signatures, rule-based detection, and even pattern-analysis/behavioral baselines.

Payload Behavior: Anti-Forensics, Anti-Debugging/RE, and Anti-System Recovery

Ghost's ransomware payloads employ several tactics that make it even harder for security analysts to detect and analyze them, while simultaneously disabling backup and recovery processes. Cross-referencing the MD5 hashes of Ghost's malware (as provided in the CISA/FBI security advisory) with the Hybrid Analysis database revealed the following anti-recovery behaviors:

  • Deleting files with the ".VHD, .bac, .bak, .sbcat, .bkf, .set, .win, and .dsk" extensions, which are all related to backups
  • Disabling the system's volume shadow copy service
  • Deleting volume shadow copies
  • Killing processes related to the Veritas backup solution, such as the BMR Boot Service and NetBackup BMR MTFTP Service
  • Killing telemetry processes related to MS SQL Server, allowing database files to be encrypted
    Source: Hybrid Analysis Report for c5d712f82d5d37bb284acd4468ab3533 (Cring.exe - labelled in Hybrid Analysis as file)

This sample also exhibited the following evasive mechanisms:

  • Exhibiting MITRE ATT&CK technique T1055 (Process Injection) by allocating virtual memory in a separate live process (which could suggest privilege escalation and/or anti-detection behavior).
  • Being programmed to sleep (take no action) for 1566804069 milliseconds (approximately 18 days) at some point in its execution, which could indicate anything from detection evasion, to hiding behavior when being analyzed, to facilitating communication with C2 servers (or, of course, something totally innocuous).
  • Allocating memory with PAGE_GUARD access rights, which act as a one-time alarm to detect and protect against the memory page being accessed. In the context of malicious software, this could indicate that the malware is protecting from or detecting the usage of a debugger.

Finally, while I didn't see it in this sample, other ransomware payloads that Ghost has used also clear Windows Event Logs, in addition to the above activity.

(MD5 of kill.bat: fe0ccc3a60e1a5b27c055ec36e62e9e0)

Note that, according to Kaspersky's analysis (corroborated with what I saw from the Hybrid Analysis report), Ghost attacks have been observed to occur as follows:

  1. After gaining initial access, Ghost operators downloaded the "execute.bat" file in a temporary folder.
  2. "execute.bat" launches a PowerShell command under the name kaspersky, mimicking the antivirus running on the system. This command downloaded a file from a Ghost C2 server and saved it as C:\__output:
    • (Note that, while the downloaded file was called ip.txt, it is actually the executable EXE ransomware payload. When connecting to the malware-hosting C2 server via a web browser, this file had been deleted and replaced with a newer ransomware payload called NoNet.txt)
  3. The downloaded malware created a batch file called kill.bat that executed the following series of actions: (details stated earlier in this section)
    • Stopped backup services (as done in the Hybrid Analysis report earlier).
    • Stopped the SstpSvc service that creates VPN connections, making it so system administrators could not connect to the system via VPN and respond in a timely manner.
    • Terminated application processes that could hinder file encryption (as done in the Hybrid Analysis report earlier with mspub and Oracle MyDesktop services).
    • Deleted locally-stored backup files (as done in the Hybrid Analysis report earlier).
    • Deleted itself.
  4. The malware started encrypting files with AES, with the encryption key in turn being encrypted with a hard-coded RSA public key of 8,192 bits.
  5. The malware dropped a ransom note.

Short, Minimal, or No Persistence ("Moving Quickly")

As mentioned earlier, Ghost avoids long-term persistence, and like many other modern and high-performing ransomware gangs, is trending towards a regularly low TTR ("Time-to-Ransom" from initial access) of mere hours or days. This rapid turnaround, combined with the other evasive mechanisms and tactics that Ghost employs, can make it difficult for security tools or analysts to collect and analyze data, detect abnormalities and identify malicious behavior, and then effectively respond.

I thought the following claim in an analysis by Vectra was incredibly thought-provoking:

"Traditional security is too slow - only AI can stop Ghost in time."

Despite being a biased transition into an audacious marketing statement for AI-powered behavioral analysis and automated response, I mention this quote because there is a lot of truth to it, and it uncomfortably paints a very real and developing picture of adversaries that are simply too fast for certain defenses to be effective.

Tailoring Attacks to the Victim and NOT Demanding Millions

Another reason why Ghost is so successful likely lies in how they tailor their attacks to victims on a case-by-case basis, which includes parameters ranging from impersonating the victim's security software (as mentioned earlier in the case study by Kaspersky) to the way they set the price-points of their ransom demands.

According to securityintelligence.com, the average ransom demand in 2024 rose to $2.73 million (from about $1 million in 2023), and the average ransom demand for healthcare organizations exceeded $5.2 million in the first half of 2024 (with high-profile incidents reaching over $20 million). However, there are many organizations that would have a really hard time forking out a million (or several million) dollars at the drop of a hat. Additionally, there are many organizations, like small to medium sized business/health practices, that simply would not be able to pay that much, that spontaneously. Forcing organizations into a corner like this can make them feel like they have no choice but to involve law enforcement and/or not pay the demand. As stated earlier, Ghost specifically demands "more reasonable" payments in the tens to hundreds of thousands of dollars, which organizations can justify paying much more.

Additionally, it has been cited that the impact of a Ghost ransomware attack varies significantly on a victim-by-victim basis. These deliberate and surgical attacks (combined with the earlier-mentioned disabling of backup/recovery methods) put victims in a situation where they have a much harder time refusing to pay a ransom.

Specific Targeting

Ghost only targets internet facing applications and devices that have known, unpatched vulnerabilities WHILE avoiding or moving on from segmented networks that prevent lateral movement. The following is a rundown of Ghost's targets:

  • Seemingly indiscriminately-targeted VPNs, firewalls, and network appliances.
  • All of the sectors that are typically the most profitable and consequential for ransomware operators to target (critical infrastructure, healthcare, schools and universities, government institutions, religious institutions, technology and manufacturing, and small-to-medium-sized businesses).
  • Targets residing in 70+ countries. While Ghost is supposedly linked to China (diving more into their origins is out-of-scope of this report), they also target internet-facing Chinese systems all the same.

Communication via Encrypted Email Services and TOX

Most ransomware gangs post an onion link to the dark web (with an access key or username/password login) in their ransomware notes (see feeds like ransomlook.io for a list of ransomware gangs and their notes). In Ghost's ransomware notes, on the other hand, they typically provide 1-2 email addresses that are registered via encrypted email services like Proton Mail and Tutanota for victims to contact and start the payment/decryption process. A full list of 41-known emails (including 8 not in the FBI/CISA report) linked to Ghost are in the "Aggregated IoC's" section at the end of this report. Additionally, the CISA/FBI report mentioned that Ghost also uses the TOX peer-to-peer, end-to-end encrypted instant messaging and video-calling protocol/application. Some of their known TOX IDs are as follows:

  • EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA
  • E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B

Using encrypted email services contributes to Ghost's success in various ways:

  • End-users will find it much easier to send a simple email, rather than setting up the TOR browser, accessing a .onion link, and logging into a web application.
  • Email addresses cannot be hacked, taken over, or monitored like a web application on the Tor network can.
  • Using a wide variety of encrypted email addresses makes attribution harder than hosting a .onion site. Additionally, it is easier to create, delete, and maintain email accounts than it is to do the same for web applications/websites on the Tor network.
  • While administrators of the encrypted email communication services can take down Ghost's email addresses, it isn't an instantaneous process (typically requiring an abuse report with evidence provided by a victim, and then action taken on the part of the administrators) and doesn't compromise the anonymity of Ghost's operators.
    Applications that use the TOX protocol (like qTox) offer similar benefits (and I suspect their peer-to-peer nature eliminates the concern of takedowns by administrators, but I cannot say this definitively because I do not have experience with TOX).

Limited Exfiltration (While Still Threatening Double-Extortion)

As mentioned earlier, Ghost threatens double-extortion, while not actually exfiltrating that much data (under 100 GB). This lends support to Ghost's success for a variety of reasons:

  • Threatening double-extortion (leaking data to the public, which no backup solution or action by the victim can prevent after the data has been stolen) puts victims in a difficult position that makes it even more compelling for the ransom to be paid. Even if Ghost doesn't steal a relatively large amount of data as compared to other attacks, organizations still are forced to decide whether they can afford the risk of leakage, especially when they may not know exactly what data was stolen (with the safest assumption being to assume the worst).
  • Exfiltration can be a noisy activity, and it is somewhat of an artform. There are many methods and mediums that an adversary can use for exfiltrating data, but exfiltrating less data generally reduces the opportunities for its detection. With Ghost's tendency to exfiltrate less than a hundred gigabytes in their attacks (rather than hundreds to thousands of terabytes, as seen in other attacks), this increases their stealthiness. While it cannot be stated for certain if this is Ghost's intention or not, it is just one of the many factors that either intentionally or coincidentally could help indicate why Ghost is so successful in their operations.

Side Note: Ghost's Nebulous Origins

First off, while many reports and articles say that Ghost was discovered in 2021, including the official FBI/CISA report, evidence shows that Ghost (known primarily as "Cring" back then) has been operating since at least December 9th, 2020, 12:49:07 (with another, less-verifiable source claiming December 7, 2020).

The most important source that corroborates this fact is the following Chinese web forum post:

This is trustworthy because it details one of the verified ransom note filenames ("deReadME!!!") and emails known to be used by Ghost. There are three sources that contain this post:

Additionally, the following sources corroborate the start of Ghost's operations being in early December of 2020:

  • The cited "discoverer" of the Ghost (back then known as Cring) ransomware, Amigo-A (Andrew Ivanov), stated this in both a forum post and his blog on the Ghost gang:
  • "Активность этого крипто-вымогателя пришлась начало декабря 2020 - середину января 2021 г...Согласно информации от пострадавших от 7 декабря 2020, ранняя версия шифровала только файлы DOC и TXT." (source of blog excerpt)
    • Translation by Reverso Context: "The activity of this crypto-extortionist occurred in early December 2020 - mid-January 2021. Aimed at English-speaking users, can spread around the world. It is reported that the victims of these attacks are industrial enterprises in some countries of Europe...According to information from the victims of December 7, 2020, the earlier version encrypted only DOC and TXT files."
  • A report by Kaspersky that states the release date of the Cring ransomware family to be December 2020 (linked here).

How to Combat Ghost (Security Recommendations)

Recommended actions from CISA and Kaspersky:

  • Make sure the components of all (endpoint) security solutions are enabled
  • Implement network segmentation (e.g., via VLANs) to restrict lateral movement
  • Keep the following fully updated:
    • Internet-facing applications
    • Antimalware databases
  • Implement the principle of least privilege:
    • Make Active Directory policies that allow users to only log into the workstations they need to
  • Block connections to industrial systems that are not required by the industrial process
  • Store backups on a system that is different than the one the backup is for
  • Implement EDR-type solutions on all endpoints in all networks
  • Implement advanced security solutions:
    • Consider MDR/managed security solutions to leverage the knowledge and expertise of high-level security professionals
    • Consider implementing (AI) behavioral analysis
  • Implement allowlisting/whitelisting for applications, scripts, and network traffic
  • Disable unnecessary ports
  • Implement anti-phishing techniques (implement phishing-resistant MFA, a strong security education and awareness training program, and advanced email filtering)

My security recommendations that stem from the above research:

  • Retire end-of-life servers, devices, and applications
  • Periodically audit for out-of-date systems, for those not configured to receive auto-updates, and for those that are missing hardened security configurations
  • Implement tamper protection on endpoint security solutions, if applicable
  • Backup/aggregate local endpoint logs in a hardened centralized logging system
  • Consider implementing behavioral analysis solutions
  • Block PowerShell on computers that don't need it, at least flagging its usage on computers with users that don't need it

IoCs

Names:

  • Ghost
  • Cring
  • Cring Hand
  • Crypt3r
  • Phantom
  • Strike
  • Hello
  • Wickrme
  • HsHarada
  • Rapture
  • RSA Virus

Contact Emails

[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] (unverified) [email protected] (unverified) [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected]

For disclosure: the 33 emails provided in the CISA/FBI report are assumed to be verified. The above list is 41 emails large.
Services: Tutanota/Tutamail/Tuta.io, Skiff, Mailfence, OnionMail, ProtonMail, and potentially one from Cock.li

Payloads:

  • Verified:
    • cring.exe
    • Ghost.exe
    • Elysium0.exe
    • Elysium.exe
    • Locker.exe
    • file.exe
    • iex.txt, pro.txt (listed as IOX proxy IoCs from CISA)
    • ip.txt
    • NoNet.txt
    • C:\__output.txt
  • "Helper" Files:
    • execute.bat
    • kill.bat
  • Unverified (and associated with the Parasite ransomware as well):
    • 848299.exe
    • SchoolPrject1.exe

Extensions

Verified:

  • .cring
  • .ghosts
  • .RSA / .rsa
  • .vjiszy1lo
  • .phantom
  • .VnBeHa99y
    • Note: Verified from verified emails in the ransom note.
  • .just4money
  • .jpghosts
    • Note: Verified from being associated in a forum with an attack that used a verified ransom note (HOW_CAN_GET_FILES_BACK.rtf).
  • .pay4it
    Semi-Verified: (based off of the verified email address with the same name)
  • .sg-ghosts
  • .sgghosts
    Unverified: (but associated with an unverified/unverifiable source that has verified information)
  • .BeHappy
  • .D0ntW0rry
  • .GetMoney
  • .Gets
  • .KrB3Ha99y
  • .KrDontCry <- note that a Hybrid Analysis heuristics text match in an analysis of cring.exe has the message "DontCry :)"
  • .Spanishghost
  • .Welcomeghost
  • .dkghost
  • .rsaes <- note that this likely (and cheekily) refers to the RSA + AES algorithms used in encryption
  • .ryuks
  • .lldc
  • .locked
  • .sg-Geister
    Totally Unverified and Unverifiable: (and unassociated with anything verifiable)
  • .4nMaJj

Ransom Notes:

Another without a screenshot:

  • HOW_CAN_RECOVERY.txt (it was attached in a BleepingComputer forum, but I could not get the access link to work)

REFERENCES