Cring Ransomware Threat Intel Advisory

Published 25 May 2021


  • A new strain of ransomware that exploits an unpatched vulnerability in Fortinet VPN devices
  • Cring is used in combination with other malwares, aimed at extracting sensitive information

Share this Threat Intel:

Advisory Type
Malware Intelligence
Malware Name
Cring, Crypt3r, Vjiszy1lo, Ghost, Phantom
Malware Type
Ransomware
Target Platform
Windows OS

Executive Summary

Cring is a new strain of ransomware that has been identified to exploit a specific unpatched vulnerability in Fortinet VPN devices, tracked as CVE-2018-13379. Cring is used in combination with other malware, such as Mimikatz, to extract sensitive information. The operators behind Cring encrypt the data and demand for a ransom, which is slightly over $70,000 USD (2 BTC).

Screenshot of Cring ransomware ransom note
Screenshot of Cring ransomware ransom note

Technical Details

  • Before starting the encryption process, this ransomware interrupts the following programs/ services:
    • Veritas NetBackup: BMR Boot Service, NetBackup BMR MTFTP Service
    • Microsoft SQL server: SQLTELEMETRY, SQLTELEMETRY$ECWDB2, SQLWriter
    • SstpSvc service
  • This ransomware also suspends the following applications:
    • Microsoft Office: mspub.exe
    • Oracle Database software: mydesktopqos.exe, mydesktopservice.exe
  • Followed by which, the ransomware removes all data backup files with the help of a kill.bat CMD script file.
  • The ransomware traverses the file system and encrypts the data using an AES-265 symmetric key. After which, the encryption key is again encrypted with a hardcoded RSA-8192 asymmetric key.

Impact

Technical Impact
  • The ransomware encrypts the victim’s data and prevents any access without the decryption key.
Business Impact
  • Temporary or permanent loss of the company’s data.
  • Complete shutdown of operations which affects the business and causes a financial loss.
  • Reputational damage in the market after such attacks. 

Mitigation Measures

  • Get the latest updates and patches for software.
  • Use up-to-date AV, prevention and detection endpoints.
  • Practice good cyber hygiene habits, and spread cyber awareness among employees.
  • Encrypt passwords before storing them in databases.
  • Use multi-factor authentication for all login sessions.
  • Maintain multiple backup copies including one offline backup copy, and keep regular updating of all copies.

Tactics, Techniques, and Procedures

Tactics
Techniques
Execution
T1059 Command and Scripting Interpreter
T1569.002 System Services: Service Execution
Defense Evasion
T1070.004 Indicator Removal on Host: File Deletion
Discovery
T1007 System Service Discovery
Impact
T1486 Data Encrypted for Impact

Indicators of Compromise

CVE
CVE-2018-13379
CVE-2019-5591
CVE-2020-12812
URL
http://45.67.231.128/ip.txt.
http://1.0.0.0
IPv4
45.67.231.128
198.12.112.204
129.227.156.216
129.227.156.214
SHA256
f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8
c9ee7ea65579c3ac956ba95f4e5aded709369ffad4c79b37328fb97f82dd817a
21c04b9ed17c4f831b64a659bc530502f6931865cf7ad1db45b78629ec809e7e
MD5
c5d712f82d5d37bb284acd4468ab3533
44d5c28b36807c69104969f5fed6f63f
317098d8e21fa4e52c1162fb24ba10ae
f34d5f2d4577ed6d9ceec516c1f5a744
d8415a528df5eefcb3ed6f1a79746f40
8d1650e5e02cd1934d21ce57f6f1af34
8d156725c6ce172b59a8d3c92434c352
38217fa569df8f93434959c1c798b29d
FilePath
%temp%\execute.bat
C:\__output

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.