Cring Ransomware Threat Intel Advisory

###### Advisory Type Malware Intelligence
###### Malware Name Cring, Crypt3r, Vjiszy1lo, Ghost, Phantom
###### Malware Type Ransomware
###### Target Platform Windows OS

Executive Summary

Cring is a new strain of ransomware that has been identified to exploit a specific unpatched vulnerability in Fortinet VPN devices, tracked as CVE-2018-13379. Cring is used in combination with other malware, such as Mimikatz, to extract sensitive information. The operators behind Cring encrypt the data and demand for a ransom, which is slightly over $70,000 USD (2 BTC).

Screenshot of Cring ransomware ransom note

Technical Details

  • Before starting the encryption process, this ransomware interrupts the following programs/ services:

    • Veritas NetBackup: BMR Boot Service, NetBackup BMR MTFTP Service
    • Microsoft SQL server: SQLTELEMETRY, SQLTELEMETRY$ECWDB2, SQLWriter
    • SstpSvc service
  • This ransomware also suspends the following applications:

    • Microsoft Office: mspub.exe
    • Oracle Database software: mydesktopqos.exe, mydesktopservice.exe
  • Followed by which, the ransomware removes all data backup files with the help of a kill.bat CMD script file.

  • The ransomware traverses the file system and encrypts the data using an AES-265 symmetric key. After which, the encryption key is again encrypted with a hardcoded RSA-8192 asymmetric key.

Impact

Technical Impact
  • The ransomware encrypts the victim’s data and prevents any access without the decryption key.
Business Impact
  • Temporary or permanent loss of the company’s data.
  • Complete shutdown of operations which affects the business and causes a financial loss.
  • Reputational damage in the market after such attacks.

Mitigation Measures

  • Get the latest updates and patches for software.
  • Use up-to-date AV, prevention and detection endpoints.
  • Practice good cyber hygiene habits, and spread cyber awareness among employees.
  • Encrypt passwords before storing them in databases.
  • Use multi-factor authentication for all login sessions.
  • Maintain multiple backup copies including one offline backup copy, and keep regular updating of all copies.

Tactics, Techniques, and Procedures

image

1 Like