020 3095 4030
,

Ghost (Cring) Ransomware: A Growing Threat to UK Organisations

Introduction

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued a warning about Ghost (Cring) ransomware, a threat that has been active since early 2021. This ransomware group, believed to be operating from China, has targeted organisations in over 70 countries, including the UK. As part of the UK’s national cybersecurity efforts, businesses and public sector entities must remain vigilant against ransomware threats. The National Cyber Security Centre (NCSC) strongly advises organisations to implement robust cybersecurity defences to mitigate risks from ransomware groups like Ghost.

Ghost Ransomware: Key Threats to UK Organisations

Ghost ransomware actors have been observed exploiting outdated software and firmware to gain access to vulnerable systems. Once inside, they deploy malicious payloads to encrypt files, disrupt operations, and demand ransoms. Their indiscriminate approach means that any organisation with unpatched systems is a potential target.

Who is at Risk?

Ghost ransomware has targeted a wide range of sectors, including critical infrastructure (energy, transport, and telecommunications), healthcare organisations (NHS trusts, private hospitals, and research labs), schools, colleges, and universities, government departments and local councils, SMEs and large enterprises in manufacturing, technology, and finance, as well as religious institutions and charities.

How Does Ghost Ransomware Operate?

Ghost actors rotate their ransomware payloads and modify ransom notes, making attribution difficult. Their techniques include exploiting known Common Vulnerabilities and Exposures (CVEs) in unpatched systems, deploying malicious executables such as Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, using a variety of file extensions and ransom email addresses to evade detection, gaining initial access through exposed remote desktop protocol (RDP), VPN, or weak credentials, and encrypting critical files while demanding payment in cryptocurrency.

UK-Specific Mitigation Recommendations

To protect against Ghost ransomware, UK organisations should implement the following measures:

  • Keep all software and systems up to date by applying patches for known vulnerabilities, especially for internet-facing services.
  • Use strong authentication methods, including Multi-Factor Authentication (MFA) for remote access, VPNs, and privileged accounts.
  • Monitor and restrict RDP access by disabling unused RDP services and using VPNs with MFA if remote access is required.
  • Implement network segmentation to reduce the spread of ransomware within the network.
  • Conduct regular backups, ensuring backups are encrypted, offline, and tested to prevent data loss.
  • Deploy endpoint protection using advanced Endpoint Detection and Response (EDR) solutions to detect and block ransomware.
  • Educate employees through cyber awareness training to help staff recognise phishing attacks and suspicious activities.
  • Have a ransomware response plan to ensure incident response and business continuity plans are ready in case of an attack.

For more detailed guidance, visit the UK National Cyber Security Centre (NCSC) ransomware resource: www.ncsc.gov.uk.

What to Do if Your Organisation is Infected

If you suspect a Ghost ransomware attack, take the following steps immediately:

  • Isolate the infected systems to prevent further spread.
  • Do not pay the ransom, as there is no guarantee that payment will restore data, and it funds criminal activity.
  • Report the incident to Action Fraud UK (www.actionfraud.police.uk) and the NCSC.
  • Engage cybersecurity experts to assess the damage and recover systems securely.

Final Thoughts

Ghost ransomware is a persistent and evolving threat to UK businesses and public sector organisations. The best defence is a proactive cybersecurity strategy, focusing on patch management, access control, employee training, and strong incident response. By implementing these best practices, UK organisations can significantly reduce their risk and minimise the impact of ransomware attacks.

For more information on ransomware protection, visit the NCSC’s Stop Ransomware hub: www.ncsc.gov.uk/ransomware.

Stay secure. Stay prepared. Defend, Detect, Respond.

Facebook
Twitter
LinkedIn
Email
Picture of Author
Author

Co-founder Soterial Solutions

Leave a Reply

Your email address will not be published. Required fields are marked *
Signup our newsletter to get update information, news, insight or promotions.

Latest Post

Protecting businesses from cyber threats with advanced security solutions. From network protection to social engineering simulations, we help you stay secure in an evolving digital landscape.
Facebook-f Linkedin-in X-twitter
Services.
Support.
Company.
Copyright © 2025 Soteria Cyber Security Ltd, All rights reserved. Website by Soteria Security.
Facebook Twitter Linkedin