Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Ghost ransomware recovery team on standby
Ghost (also tracked as Cring and Phantom) has compromised organisations across 70+ countries since 2021 by exploiting unpatched internet-facing services including Microsoft Exchange, Adobe ColdFusion, and Fortinet CVE-2018-13379. Do not attempt containment alone — isolate affected systems immediately and engage UnderDefense's incident response team.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Ghost attack can make a huge difference and help you make a full recovery. Request 24/7 Ghost ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Ghost uses AES-256 for file encryption combined with RSA-2048 for key protection, creating hybrid encryption resistant to cryptanalysis. The gang implements custom key derivation making decryption infeasible without access to attacker-held private keys.
Ghost actors conduct wide-scale vulnerability scanning for outdated software and exploit indiscriminately based solely on vulnerability presence, not target selection. This results in compromise of schools, nonprofits, government, and critical infrastructure alongside commercial targets. Geographic and industry diversification suggests purely financially motivated operations.
The gang exfiltrates data before encryption and threatens public release on dark web forums. Ransom demands range from tens to hundreds of thousands of dollars per incident. Recent communications via TOX enable more anonymous extortion negotiations without traceable email records.
Recent 2024-2025 activity shows acceleration from initial compromise to encryption within 24 hours or less, indicating pre-staging of ransomware binaries and automated exploitation chains. The gang rotates ransomware filenames (Cring.exe, Ghost.exe, ElysiumO.exe, Locker.exe) to evade signature detection.
Ghost systematically disables Volume Shadow Copy Service, clears Windows Event Logs to hide forensic evidence, and deletes shadow copy backups to prevent system recovery, making offline backup the only reliable recovery option.
No legitimate public decryptor exists. RSA-2048 encryption is cryptographically sound. Recovery requires either offline backups or ransom payment with extreme caution. Some victims report paid keys were useless or partial, indicating gang breach of ransom agreements.
Identify Ghost infections by searching for .ghost, .cring, .flip file extensions, ransom notes named GOD.txt, FILES_ENCRYPTED.txt, or TOX contact addresses. Monitor for Event Log clearing, Volume Shadow Copy deletion, and rapid file encryption across SMB shares.
File Extensions
.ghost, .cring, .flip, .Phantom, .strike, .hello, .wickrme, .HsHarada, .rapture (extensions rotate per variant)
Ransom Note Filenames
GOD.txt, FILES_ENCRYPTED.txt, UNLOCK_FILES.txt (naming varies by sample)
Ghost Hashes
SHA256 hashes: Ghost ransomware executables vary significantly across samples. Known samples include:
– Cring.exe variants (documented in threat intelligence feeds)
– Ghost.exe variants (rotated regularly)
– ElysiumO.exe variants (observed in 2024-2025 campaigns)
Monitor for process behavior rather than static signatures due to frequent re-compilation.
Ghost Tools
Reconnaissance: External vulnerability scanning (Shodan, public databases), network enumeration post-compromise
Exploitation: Known vulnerabilities in ProxyShell (Exchange), Fortinet FortiOS, Adobe ColdFusion
Data Exfiltration: Custom scripts, legitimate cloud storage (if accessed via compromised credentials)
Persistence: Registry modification, scheduled tasks for re-execution
Encryption: Custom AES-256/RSA-2048 implementation
Log Clearing: wevtutil to clear Event Logs, custom scripts to delete shadow copies
Most Common Red Flag
Simultaneous occurrence of Volume Shadow Copy deletion (via vssadmin or wmic), Event Log clearing (wevtutil clear-log security), and mass file encryption across network shares with .ghost or .cring extensions. Often preceded by probing of Exchange, Fortinet, or ColdFusion endpoints from external IP addresses.
Attack vector | % of Ghost incidents | Notes |
Unpatched Exchange ProxyShell | 35% | CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 |
Unpatched Fortinet FortiOS | 30% | Multiple CVEs including CVE-2018-13379 (VPN bypass) |
Adobe ColdFusion RCE | 20% | CVE-2023-26360 and predecessors; deserialization bugs |
Unpatched Cisco/Palo Alto | 10% | VPN and firewall vulnerabilities |
Other Legacy Software | 5% | VPN and firewall vulnerabilities |
A U.S. school district paid ransom; data was publicly released 2 weeks later on multiple forums despite payment. A healthcare organization refused payment; Ghost re-entered via same Exchange vulnerability 6 months later and encrypted again. Law enforcement (FBI) seized some Ghost infrastructure in 2024, but group continues operations with new C2 servers.
Immediately disconnect all affected systems from network. Isolate Exchange servers and Fortinet appliances from internet access. Patch all internet-facing services (Exchange, ColdFusion, Fortinet) within 24 hours. Scan for and delete ransom note files and suspicious scheduled tasks. Restore from verified offline backups created before infection. Monitor for re-infection attempts via external scanning.
Recovery depends entirely on offline backup availability. Assume all credentials compromised; reset administrative passwords and enforce MFA network-wide. Rebuild internet-facing services from clean snapshots. Patch all systems to current versions before bringing infrastructure back online. Monitor security logs for 90+ days for indicators of re-compromise (unusual logons, service creation, file access patterns).
Ghost demands range from $50,000 to $500,000+ depending on organization size and data sensitivity. Demands are negotiable. Average settlement (among victims who disclose) is $150K-300K. Ransom payment provides no guarantee of data deletion—public gang track record shows 50%+ of victims have data released post-payment.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowGhost is an indiscriminate ransomware operation that targets outdated internet-facing software, compromising organizations across 70+ countries regardless of sector or size. The group uses AES-256/RSA-2048 hybrid encryption and conducts double extortion by stealing data before encryption and threatening public release. Recent activity (2025) shows acceleration to encryption within 24 hours and use of TOX peer-to-peer messaging for ransom demands, making law enforcement tracking difficult.
Attribution indicates the group operates from China based on infrastructure patterns, timing of activity (UTC+8), and operational style. The indiscriminate targeting suggests financially motivated cybercriminals rather than state-sponsored attackers. The group has not claimed APT designation or nation-state affiliation despite sophisticated exploitation expertise.
Ghost operators conduct continuous external vulnerability scanning using tools like Shodan, identifying organizations running outdated versions of Exchange, Fortinet, ColdFusion, and other internet-facing services. When vulnerable services are found, the gang exploits known vulnerabilities for remote code execution, establishes persistence, exfiltrates sensitive data, and deploys the ransomware encryptor. Recent improvements show automation of the exploitation chain, reducing time from discovery to encryption to 24 hours.
Recent 2024-2025 activity shows dramatic compression of attack timeline. Early 2021 attacks averaged 2-4 weeks dwell time, but recent incidents show initial exploit to ransom note delivery within 24 hours or less. This acceleration suggests pre-staging of data exfiltration tools and ransomware binaries to minimize detection window.
No legitimate public decryptor exists for Ghost ransomware. RSA-2048 encryption is mathematically secure. Some victims who paid ransom report keys were non-functional or incomplete, suggesting gang may not actually decrypt files even after payment. Recovery requires offline backups or payment with extreme caution and law enforcement coordination.
All files encrypted with .ghost or variant extensions become inaccessible. The gang threatens release of exfiltrated data on dark web forums if ransom is not paid within 7 days. For organizations with critical dependencies on encrypted systems (healthcare, government, education), operational disruption is immediate and severe. The gang often leaks sample data (10-100 files) to prove they have exfiltrated the full dataset.
Prioritize patching of internet-facing services. Exchange should be updated to latest version within 48 hours of CVE release. Fortinet appliances require monthly patch cycles. Disable internet-facing RDP and ColdFusion unless absolutely required; if required, use jump hosts and MFA. Remove or disable legacy systems running unsupported operating systems. Monitor for external vulnerability scanning and probing of known vulnerable endpoints. Maintain offline backups and test recovery procedures quarterly.
– Patch Microsoft Exchange to latest cumulative update within 48 hours of release
– Monitor for ProxyShell exploitation attempts; block IMAP4 port 143 if not essential
– Patch Fortinet FortiOS devices monthly; disable internet-facing admin interfaces
– Remove or air-gap Adobe ColdFusion if not actively used; if required, disable public-facing folders
– Disable or restrict internet-facing RDP; use VPN with MFA instead
– Implement network segmentation to isolate internet-facing services from internal network
– Monitor for external vulnerability scanning and block scanning sources
– Maintain offline backups tested quarterly; assume online backups may be compromised
– Deploy EDR with detection rules for Event Log clearing and Volume Shadow Copy deletion
Rotating filenames (Cring.exe, Ghost.exe, ElysiumO.exe) and extensions (.ghost, .cring, .flip) serves multiple purposes:
1) Bypasses signature-based detection that matches specific filenames
2) Complicates forensic analysis and victim attribution
3) Enables the gang to claim multiple “variants” while using substantially similar code
4) Prevents victims from filtering specific ransomware signatures in antivirus definitions
Despite China-based infrastructure attribution, Ghost is assessed as financially motivated cybercriminals rather than state-sponsored attackers. The indiscriminate targeting, focus on ransom payment, and lack of data exfiltration for espionage purposes suggest pure profit motive. However, sophisticated exploitation of ProxyShell and infrastructure sophistication suggests advanced technical capability beyond typical cybercriminals.