1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Audit: Ransom.Ghost Activity

Audit: Ransom.Ghost Activity

Severity: Low

This attack poses a minor threat. Corrective action may not be possible or is not required.


This signature tries to detect Ghost Ransomware on to the system connecting to its "KillSwitch" which helps in detecting presence of the Ransomware.

Additional Information

The file Encrypts files on system and asks for ransom to decrypt them.


  • Various Windows platforms


Immediately Scan all of the Systems in your network for presence of Ghost Ransomware.

When the worm module of Ghost ransomware is executed, it quries over DNS for the following remote location:


If the the domain is resolved by DNS, the ransomware will exit immediately. This functionality acts as a kill-switch enabling the threat to be stopped.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube