|###### Advisory Type||Malware Intelligence|
|###### Malware Name||Cring, Crypt3r, Vjiszy1lo, Ghost, Phantom|
|###### Malware Type||Ransomware|
|###### Target Platform||Windows OS|
Cring is a new strain of ransomware that has been identified to exploit a specific unpatched vulnerability in Fortinet VPN devices, tracked as CVE-2018-13379. Cring is used in combination with other malware, such as Mimikatz, to extract sensitive information. The operators behind Cring encrypt the data and demand for a ransom, which is slightly over $70,000 USD (2 BTC).
Screenshot of Cring ransomware ransom note
Before starting the encryption process, this ransomware interrupts the following programs/ services:
- Veritas NetBackup: BMR Boot Service, NetBackup BMR MTFTP Service
- Microsoft SQL server: SQLTELEMETRY, SQLTELEMETRY$ECWDB2, SQLWriter
- SstpSvc service
This ransomware also suspends the following applications:
- Microsoft Office: mspub.exe
- Oracle Database software: mydesktopqos.exe, mydesktopservice.exe
Followed by which, the ransomware removes all data backup files with the help of a kill.bat CMD script file.
The ransomware traverses the file system and encrypts the data using an AES-265 symmetric key. After which, the encryption key is again encrypted with a hardcoded RSA-8192 asymmetric key.
- The ransomware encrypts the victim’s data and prevents any access without the decryption key.
- Temporary or permanent loss of the company’s data.
- Complete shutdown of operations which affects the business and causes a financial loss.
- Reputational damage in the market after such attacks.
- Get the latest updates and patches for software.
- Use up-to-date AV, prevention and detection endpoints.
- Practice good cyber hygiene habits, and spread cyber awareness among employees.
- Encrypt passwords before storing them in databases.
- Use multi-factor authentication for all login sessions.
- Maintain multiple backup copies including one offline backup copy, and keep regular updating of all copies.