#StopRansomware: Ghost (Cring) Ransomware

**Executive summary:** This joint FBI/CISA/MS-ISAC advisory outlines Ghost (Cring) ransomware activity—an opportunistic, China-located criminal group that exploits unpatched public-facing services and uses Cobalt Strike, web shells, and various open-source tools to deploy ransomware (Cring.exe, Ghost.exe, ElysiumO.exe, Locker.exe). The advisory provides technical details, MITRE ATT&CK mappings, IoCs (file hashes, tools, ransom emails, TOX IDs), observed impacts (file encryption, shadow copy deletion), and prioritized mitigations and reporting guidance for defenders.