A threat actor behind a relatively new human-operated ransomware strain is exploiting unpatched Internet-exposed Fortinet Fortigate SSL VPN servers in order to gain access to targets’ networks, the latest report from Kaspersky reveals.

Dubbed Cring (Crypt3r, Vjiszy1lo, Ghost, Phantom), the ransomware, which was discovered and reported by Swisscom CSIRT in January 2021, targets Fortigate VPN servers affected CVE-2018-13379, a path traversal vulnerability that allows unauthenticated attackers to obtain a session file that contains the username and plaintext password for the VPN.

According to Kaspersky, victims of the Cring ransomware attacks included industrial enterprises in European countries, and at least in one instance the attack “resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.”

“The attackers may have identified the vulnerable device themselves by scanning IP addresses. Alternatively, they may have bought a ready-made list containing IP addresses of vulnerable Fortigate VPN Gateway devices,” the researchers noted.

Upon compromising a target’s network, a live Cring operator conducts reconnaissance and deploys a customized version of the Mimikatz tool in an attempt to extract domain administrator credentials stored in server memory. The Cobalt Strike beacon is then used to install the Cring ransomware. To mask the attack, the installation files are disguised as security products from Kaspersky or other vendors.

To be able to encrypt database files and remove backup copies, the Cring ransomware terminates a number of processes, including Microsoft Office and Oracle Database processes, as well as the SstpSvc service, which is used to create VPN connections.

“It is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN. This was done to prevent system administrators from providing a timely response to the information security incident,” Kaspersky said.

Cring encrypts only specific files on the compromised devices using strong encryption algorithms (RSA-8192 + AES-128) after removing backup files with the extensions such as .VHD, .bac, .bak, .wbcat, .bkf, .set, .win, and .dsk.

“Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the attacked organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,” the researchers said.

“An analysis of the attackers’ activity demonstrates that, based on the results of reconnaissance performed on the attacked organization’s network, they chose to encrypt those servers the loss of which the attackers believed would cause the greatest damage to the enterprise’s operations.”