The Cring Ransomware
According to researchers that are investigating the malicious campaign, threat actors are exploiting a flaw in Fortinet’s FortiOS tracked as CVE-2018-13379, which affects the company’s SSL VPN products. The ultimate goal of the attacks is to gain access to the networks of the targeted enterprises and to deliver a new ransomware strain, known as Cring.
Cring is a recent and very sophisticated tool for money extortion that adds up to the already active strains of ransomware threats known as Ryuk, Maze and Conti. This new threat was first detected and reported in January when security researchers discovered its unique features that aren’t very common in other ransomware variants. What makes Cring special according to ransomware analysts is that, instead of one, it uses two types of encryption. Aside from that, the threat aims at the backup files on the system and destroys them in an attempt to prevent the victims from using these copies for recovery of the encrypted data. In this way, the malware ensures that those who are attacked have no option but to pay the required ransom if they want to decrypt the sealed information.
The details that are available on the web about how Cring operates reveal how exactly the ransomware achieves encryption without being noticed and manages to destroy the existing backups.
As soon as it enters the system, the malware first stops a number of key programs on the network from working, including the Microsoft SQL Server and Veritas NetBackup.
Next, Cring continues by terminating other applications such as Microsoft Office and Oracle Database and their processes in an attempt to facilitate the encryption and the removal of important backups.
In the final phase of the attack, the ransomware starts a secret encryption process that uses strong encryption algorithms which the victims cannot decrypt without applying a matching RSA private key, owned by the attackers.
After encryption is over, the malware drops a ransom-demanding notification that requires the payment of two Bitcoins in exchange for the decryption key.
Users who are concerned about possible exploitation of the CVE-2018-13379 bug in Fortinet FortiOS should immediately get an update.
According to a statement from Fortinet, CVE-2018-13379 is an old weakness that has been resolved in May 2019. The company has released an urgent PSIRT advisory upon resolution and has been actively recommending its customers to get an immediate update since then, both by informing them directly and through the company’s blog posts.