‘Ghost’ Ransomware Crew From China Hits U.S. and U.K. Hospitals, Energy Firms in 70-Nation Crime Wave

A financially motivated hacking collective dubbed “Ghost” has launched ransomware and data-extortion attacks in more than 70 countries, zeroing in on hospitals, government offices, utilities and factories across North America and the United Kingdom, according to a new threat-intelligence report from security firm BlackFog.

A Shape-Shifting Brand of Crime

The group—previously known to researchers by aliases such as Cring, Crypt3r, Hello and Phantom—continuously rebrands to hamper law-enforcement tracking. Despite its Chinese origin, investigators say the crew shows no links to state espionage; its motive is pure profit.

Ghost’s track record has already forced the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to issue a joint alert, warning that the gang’s tactics could cripple critical services and put sensitive citizen data at risk.

How the Attacks Unfold

1. Access – Hackers exploit unpatched VPN appliances, web servers and email gateways.

2. Backdoor – Web shells and commercial pen-test tools like Cobalt Strike establish covert control; new admin accounts are created while endpoint protection is silently disabled.

3. Exfiltration – Confidential files are siphoned off to external servers before victims even realise they’ve been breached.

4. Detonation – A payload labelled Ghost.exe or Cring.exe encrypts machines, erases backups and delivers a ransom note threatening permanent data loss or public leaks unless payment is made.

Hospitals are especially vulnerable, cybersecurity analysts warn, because life-support systems and electronic medical records make downtime unthinkable—often forcing administrators to pay quietly.

Quick-Fire Mitigation Steps

• Maintain offline, isolated backups tested for rapid restore.

• Patch aggressively: prioritise VPN, email and web-server vulnerabilities.

• Enforce multi-factor authentication on every remote-access point.

• Segment networks so an intruder who compromises one system cannot rove freely across critical assets.

For detailed hardening guidance, organisations are urged to review the FBI and CISA advisory on Ghost-related activity.

The Bigger Picture

Ransomware may be an old scourge, but Ghost’s global footprint shows criminals are pursuing scale as well as stealth. With healthcare and energy infrastructure increasingly in the crosshairs, security professionals caution that today’s best defence is readiness: plug known holes, practise restoration drills, and assume the worst can—and eventually will—happen.

Photo Credit: DepositPhotos.com