On February 19, 2025, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory. The notice details ongoing threats to the public from specific groups and ransomware variants. It also outlines observed tactics, techniques, and procedures (TTPs) and provides a checklist to mitigate the impact of an attack.
The message from the FBI and CISA is clear: You should back up data immediately.
Below, our specialists break down the threat and explain how to protect data from ransomware attacks. We have decades of ransomware data recovery experience. That expertise helps us restore files on infected systems and develop reliable products, such as encrypted external drives.
Explaining Ghost Ransomware
The release names the Ghost ransomware group as the source of the latest attacks. The group (also known as Cring) operates in China. Officials suspect Ghost of launching attacks against organizations in more than 70 countries since 2021. The group targets government networks, critical infrastructure, and companies in the finance, tech, and manufacturing sectors for sensitive data. Ghost actors infect systems with malware and encrypt data stored on the device.
Recent attacks attributed to the group involve exploiting common vulnerabilities and exposures (CVEs) in outdated software and firmware. They detect CVEs using commands within the Cobalt Strike attack platform. Then, Ghost actors attack unpatched systems to gain access to servers with a public IP address. They mainly target Fortinet appliances, the Adobe ColdFusion app, and Microsoft SharePoint and Exchange servers.
Once inside the system, the group uses the Command Prompt or PowerShell to download and execute the malware. Samples of ransomware files include cring.exe, ghost.exe, elysium0.exe, and locker.exe. They may run further functions to collect or change passwords and elevate privileges. Victims cannot access data without the encryption key.
After implanting malware, Ghost actors leave a note that demands a ransom payment for the return of encrypted files. The note claims the group will exfiltrate files and leak or sell sensitive data if the ransom is not paid. However, the FBI reports that Ghost typically downloads less than 100 GB of data to servers tied to the group.
Here are three actions that CISA and the FBI propose to mitigate threats related to Ghost ransomware:
- Maintain regular backups. Follow the 3-2-1 Rule for backups. Keep copies separate from the source system to avoid infecting backups.
- Patch known issues. Applying timely updates to software and firmware reduces exposure to ransomware.
- Segment networks. The architecture makes lateral movement from infected devices to other endpoints more difficult.
Consult the joint advisory for full guidance on mitigation.
How To Protect Data From Ransomware With SecureDrive®
Local backups can serve as an effective method of protecting data from ransomware attacks. External drives are isolated from the network when not connected for file transfers. Therefore, attackers cannot spread ransomware to these devices. They also allow users complete control over versioning.
The SecureDrive® BT, SecureDrive® KP, and SecureDrive® DUO provide greater protection than other external devices. Each SecureDrive® model comes equipped with ClevX DriveSecurity®. The built-in tool scans all incoming files for malware during data transfers. SecureDrive® will not save infected files to its storage medium upon finding malicious code. The feature even works without the internet. Advanced threat detection and multi-factor authentication make these products the most secure solution for local backups.
You can order SecureDrive® as a hard disk drive (HDD) or solid-state drive (SSD). Capacities range from 250 GB to 20 TB. All models earn FIPS certification to meet the most stringent encryption standards.
Request a free evaluation of SecureData products to see firsthand how SecureDrive® protects data from ransomware.
Contact the Experts for Ransomware Data Recovery
Sometimes, ransomware overcomes cyber defenses, infects systems, and encrypts important data. Using a data recovery service is often safer than paying the ransom in these cases.
Secure Data Recovery is the worldwide leader in professional data recovery services. Our engineers have recovered billions of files across over 100,000 cases. We have maintained a 96% success rate since 2007, regardless of the file type, failure mode, and storage device. Our experience includes complex ransomware recoveries on large-scale systems. Yet, we still make it easy for you. Our streamlined process offers free quotes and a No Data, No Recovery Fee guarantee.
Call 800-388-1266 or request help to discuss your case with an expert and recover data from a ransomware attack.
