StopRansomware: Ghost (Cring) Ransomware

    Thursday, February 20, 2025 In: Threat Research Print

    Date: 02/20/2025

    Severity: High

    Summary

    "StopRansomware: Ghost (Cring) Ransomware" refers to a China-based cybercriminal group, known as Ghost or Cring, that targets vulnerable internet-facing services. Since 2021, they have compromised organizations worldwide, including critical infrastructure and businesses. The group uses rotating ransomware payloads, changes file extensions, and employs multiple ransom email addresses, making attribution difficult. Ghost's ransomware variants include Cring.exe, Ghost.exe, and Locker.exe.

    Indicators of Compromise (IOC) List

    Hash

    c5d712f82d5d37bb284acd4468ab3533

ac58a214ce7deb3a578c10b97f93d9c3

625bd7275e1892eac50a22f8b4a6355d

a2fd181f57548c215ac6891d000ec6b9

d1c5e7b8e937625891707f8b4b594314

c3b8f6d102393b4542e9f951c9435255

34b3009590ec2d361f07cac320671410

d9c019182d88290e5489cdf3b607f982

29e44e8994197bdb0c2be6fc5dfc15c2

c9e35b5c1dc8856da25965b385a26ec4

ef6a213f59f3fbee2894bd6734bbaed2

0a5c4ad3ec240fbfd00bdc1d36bd54eb

ff52fdf84448277b1bc121f592f753c5

db38ef2e3d4d8cb785df48f458b35090

    Filenames

    Cring.exe

    Ghost.exe

    ElysiumO.exe

    Locker.exe

    iex.txt 

    pro.txt

    x86.log

    sp.txt

    main.txt

    isx.txt

    sock.txt

    Emails

    asauribe@tutanota.com

    cringghost@skiff.com

    crptbackup@skiff.com

    d3crypt@onionmail.org

    d3svc@tuta.io

    eternalnightmare@tutanota.com

    evilcorp@skiff.com

    fileunlock@onionmail.org

    fortihooks@protonmail.com

    genesis1337@tutanota.com

    ghost1998@tutamail.com

    ghostbackup@skiff.com

    ghosts1337@skiff.com

    ghosts1337@tuta.io

    ghostsbackup@skiff.com

    hsharada@skiff.com

    just4money@tutanota.com

    kellyreiff@tutanota.com

    kev1npt@tuta.io

    lockhelp1998@skiff.com

    r.heisler@skiff.com

    rainbowforever@skiff.com

    rainbowforever@tutanota.com

    retryit1998@mailfence.com

    retryit1998@tutamail.com

    rsacrpthelp@skiff.com

    rsahelp@protonmail.com

    sdghost@onionmail.org

    shadowghost@skiff.com

    shadowghosts@tutanota.com

    summerkiller@mailfence.com

    summerkiller@tutanota.com

    webroothooks@tutanota.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    md5hash IN ("c5d712f82d5d37bb284acd4468ab3533","ac58a214ce7deb3a578c10b97f93d9c3","625bd7275e1892eac50a22f8b4a6355d","a2fd181f57548c215ac6891d000ec6b9","d1c5e7b8e937625891707f8b4b594314","c3b8f6d102393b4542e9f951c9435255","34b3009590ec2d361f07cac320671410","d9c019182d88290e5489cdf3b607f982","29e44e8994197bdb0c2be6fc5dfc15c2","c9e35b5c1dc8856da25965b385a26ec4","ef6a213f59f3fbee2894bd6734bbaed2","0a5c4ad3ec240fbfd00bdc1d36bd54eb","ff52fdf84448277b1bc121f592f753c5","db38ef2e3d4d8cb785df48f458b35090")

    Detection Query 2

    resourcename in ("Windows Security") AND eventtype = "4663" AND objectname IN ("Cring.exe","Ghost.exe","ElysiumO.exe","Locker.exe","iex.txt","pro.txt","x86.log","sp.txt","main.txt","isx.txt","sock.txt")

    Detection Query 3

    technologygroup = "EDR"  AND objectname IN ("Cring.exe","Ghost.exe","ElysiumO.exe","Locker.exe","iex.txt","pro.txt","x86.log","sp.txt","main.txt","isx.txt","sock.txt")

    Detection Query 4

    resourcename in ("Sysmon") AND eventtype = "11" AND filename IN ("Cring.exe","Ghost.exe","ElysiumO.exe","Locker.exe","iex.txt","pro.txt","x86.log","sp.txt","main.txt","isx.txt","sock.txt")

    Detection Query 5

    technologygroup = "EDR"  AND filename IN ("Cring.exe","Ghost.exe","ElysiumO.exe","Locker.exe","iex.txt","pro.txt","x86.log","sp.txt","main.txt","isx.txt","sock.txt")

    Detection Query 6

    email like "asauribe@tutanota.com" or email like "cringghost@skiff.com" or email like "crptbackup@skiff.com" or email like "d3crypt@onionmail.org" or email like "d3svc@tuta.io" or email like "eternalnightmare@tutanota.com" or email like "evilcorp@skiff.com" or email like "fileunlock@onionmail.org" or email like "fortihooks@protonmail.com" or email like "genesis1337@tutanota.com" or email like "ghost1998@tutamail.com" or email like "ghostbackup@skiff.com" or email like "ghosts1337@skiff.com" or email like "ghosts1337@tuta.io" or email like "ghostsbackup@skiff.com" or email like "hsharada@skiff.com" or email like "just4money@tutanota.com" or email like "kellyreiff@tutanota.com" or email like "kev1npt@tuta.io" or email like "lockhelp1998@skiff.com" or email like "r.heisler@skiff.com" or email like "rainbowforever@skiff.com" or email like "rainbowforever@tutanota.com" or email like "retryit1998@mailfence.com" or email like "retryit1998@tutamail.com" or email like "rsacrpthelp@skiff.com" or email like "rsahelp@protonmail.com" or email like "sdghost@onionmail.org" or email like "shadowghost@skiff.com" or email like "shadowghosts@tutanota.com" or email like "summerkiller@mailfence.com" or email like "summerkiller@tutanota.com" or email like "webroothooks@tutanota.com"

    Reference:

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a


    Tags

    CISARansomwareCritical InfrastructureChina

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.