CRING ransomware encrypts business user and server data with AES-128 + RSA-8192 and then demands a ~ 2 BTC ransom to get the files back. The attackers exploit Internet-exposed Fortigate SSL VPN servers unpatched against the CVE-2018-13379 vulnerability, which allows them to breach their target's network. After the malicious actors have established initial access, they drop a customized Mimikatz sample followed by CobaltStrike threat emulation framework deployed using a malicious PowerShell script.
The ransomware encrypts only specific files on the compromised devices after removing backup files and killing Microsoft Office and Oracle Database processes.
CRING Ransomware Signatures
CRING Ransomware Download