Cring Ransomware Threat Intel Advisory
Published 25 May 2021
- A new strain of ransomware that exploits an unpatched vulnerability in Fortinet VPN devices
- Cring is used in combination with other malwares, aimed at extracting sensitive information
Share this Threat Intel:
|Cring, Crypt3r, Vjiszy1lo, Ghost, Phantom|
Cring is a new strain of ransomware that has been identified to exploit a specific unpatched vulnerability in Fortinet VPN devices, tracked as CVE-2018-13379. Cring is used in combination with other malware, such as Mimikatz, to extract sensitive information. The operators behind Cring encrypt the data and demand for a ransom, which is slightly over $70,000 USD (2 BTC).
- Before starting the encryption process, this ransomware interrupts the following programs/ services:
- Veritas NetBackup: BMR Boot Service, NetBackup BMR MTFTP Service
- Microsoft SQL server: SQLTELEMETRY, SQLTELEMETRY$ECWDB2, SQLWriter
- SstpSvc service
- This ransomware also suspends the following applications:
- Microsoft Office: mspub.exe
- Oracle Database software: mydesktopqos.exe, mydesktopservice.exe
- Followed by which, the ransomware removes all data backup files with the help of a kill.bat CMD script file.
- The ransomware traverses the file system and encrypts the data using an AES-265 symmetric key. After which, the encryption key is again encrypted with a hardcoded RSA-8192 asymmetric key.
- The ransomware encrypts the victim’s data and prevents any access without the decryption key.
- Temporary or permanent loss of the company’s data.
- Complete shutdown of operations which affects the business and causes a financial loss.
- Reputational damage in the market after such attacks.
- Get the latest updates and patches for software.
- Use up-to-date AV, prevention and detection endpoints.
- Practice good cyber hygiene habits, and spread cyber awareness among employees.
- Encrypt passwords before storing them in databases.
- Use multi-factor authentication for all login sessions.
- Maintain multiple backup copies including one offline backup copy, and keep regular updating of all copies.
Tactics, Techniques, and Procedures
|T1059||Command and Scripting Interpreter|
|T1569.002||System Services: Service Execution|
|T1070.004||Indicator Removal on Host: File Deletion|
|T1007||System Service Discovery|
|T1486||Data Encrypted for Impact|
Indicators of Compromise