According to Kaspersky’s researchers, Cring ransomware operators are targeting unpatched Fortinet VPN devices/servers.
Kaspersky researchers identified a new ransomware strain called Cring that’s exploiting a widely reported vulnerability impacting unpatched Fortinet VPN devices. The ransomware is targeting industrial sector organizations in European countries and encrypting their networks.
In one incident, the ransomware caused a temporary shutdown of an organization’s industrial process after the server was encrypted. There is no news about how this issue was resolved.
Cring Ransomware is also called Crypt3r, Phantom, Ghost, and Vjiszy1lo. It was first discovered in January by Amigi_A, and Swisscom’s CSIRT team spotted it.
How the Attack Works?
The ransomware operators drop customized Mimikatz samples and Cobalt Strike threat emulation framework after they gain initial access to their targeted network. Then they deploy the Cring ransomware payload after downloading it onto the device using authentic Windows CertUtil certificate manager to deceive security software.
According to Kaspersky’s research, attackers are exploiting those Fortigate SSL VPN servers that are still not patched against the CVE-2018-13379 vulnerability. Although Fortinet issued a patch last year to fix this vulnerability, there are many networks that haven’t yet deployed the security update.
This vulnerability also allows the ransomware operators to breach the targeted network’s security. Cring operators laterally move on their target’s enterprise network through Fortinet VPN device and steal Windows user credentials via Mimikatz so as to control domain admin account.
Additionally, as shown in the screenshot above Cobalt Strike delivers ransomware payloads on the targeted network’s connected devices using a malicious PowerShell script.
What kind of Data is Encrypted
Cring ransomware encrypts specific files on the infected devices. It uses strong encryption algorithms and removes backup files as well. It also deletes Oracle Database and MS Office processes before dropping ransom notes in .txt files named: !!!!!readme.rtf and deReadMe!!!.txt.
To make things worse, Cring ransomware operators demand 2 Bitcoin in ransom which is around $115,435.
Fortinet SSL VPN appliances hunted by APT groups
According to a joint advisory issued by the FBI and CISA, advanced persistent threat actors are hunting for unpatched Fortinet SSL VPN devices that are still vulnerable to CVE-2018-13379 exploits.
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks” the agencies stated in their joint advisory.