Cring Ransomware Fortinet Attack Threat Intel Advisory

Published 24 May 2021

  • Operators of Cring ransomware target multiple organizations and exploit vulnerable FortiGate servers
  • It steals information from Windows users connected to the infected device

Share this Threat Intel:

Advisory Type
Adversary Intelligence
Malware Name
Cring, Crypt3r, Vjiszy1lo, Ghost, Phantom
Malware Type
Tools Used
MimiKatz, CobaltStrike
Target Platform
Fortinet VPN devices
Affected Industries
Industrial Sectors

Executive Summary

Threat operators of Cring ransomware have been targeting multiple organizations in the industrial sector, by exploiting vulnerable FortiGate Severs. The vulnerability, dubbed CVE-2018-13379, is a path traversal flaw in the FortiOS SSL VPN portals, that allows attackers to obtain domain administrator credentials with the help of Mimikatz malware. It steals information from Windows users connected to the infected device, and then deploys the CobaltStrike beacon to download and execute Cring ransomware.

Technical Details

  • Once the attackers were able to detect servers that were affected by CVE-2018-13379, they located the sslvpn_websession file and used it to obtain login credentials in cleartext.
  • Attackers used Mimikatz to steal the credentials of other Windows users that had connected to the infected device at some point in the past, and found the domain administrator credentials. 
  • Then, they deployed a malicious PowerShell to decrypt and execute CobaltStrike beacon so as to control the infected systems remotely.
  • The attackers continued to download and execute a malicious CMD script that launched another malicious PowerShell command which, in turn, downloaded and executed the Cring ransomware. 

Targeted CVEs:

  • CVE-2018-13379
    • FortiOS versions 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 are vulnerable to this flaw.
  • CVE-2020-12812
  • CVE-2019-5591


Technical Impact
  • Exploiting the CVEs in the FortiOS SSL VPN portals targeted by threat actors allow them to download and execute other variants of malware furthering other forms of attacks on the infected system.
  • It could also gain control of the infected system to act as a Bot and launch more attacks.
Business Impact
  • This ransomware attack could cause businesses to shut down.
  • It could also affect the reputation of the victim company.
  • The attackers gain full access to infected systems which may contain the sensitive information of individuals and organizations alike, leading to the violation of their privacy.

Mitigation Measures

  • Get the latest updates and patches for the software in use.
  • Use up-to-date AV, prevention and detection endpoints.
  • Maintain cyber hygiene and awareness.
  • Always encrypt passwords before storing them in databases.
  • Use 2FA for all login sessions.

Tactics, Techniques, and Procedures of the Attack

T1592.002 Gather Victim Host Information: Software
T1589.001 Gather Victim Identity Information:Credentials
T1590.006 Gather Victim Network Information: Network Security Appliances
T1590.005 Gather Victim Network Information: IP Addresses
Resource Development
T1588.005 Obtain Capabilities: Exploits
T1588.001 Obtain Capabilities: Malware
T1588.002 Obtain Capabilities: Tool
T1588.006 Obtain Capabilities: Vulnerabilities
T1608.001 Stage Capabilities: Upload Malware
T1608.002 Stage Capabilities: Upload Tool
Initial Access
T1133 External Remote Services
T1059 Command and Scripting Interpreter
T1047 Windows Management Instrumentation
T1133 External Remote Services
Defense Evasion
T1140 Deobfuscate/Decode Files or Information
T1036.004 Masquerading: Masquerade Task or Service
Credential Access
T1555 Credentials from Password Stores
T1003.005 OS Credential Dumping: Cached Domain Credentials
T1552 Unsecured Credentials
T1087.002 Account Discovery: Domain Account
Lateral Movement
T1021 Remote Services


Indicators of Compromise


Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.