New Cring ransomware exploits a vulnerability in Fortigate VPN servers

New Cring ransomware exploits a vulnerability in Fortigate VPN servers

A threat actor behind a relatively new human-operated ransomware strain is exploiting unpatched Internet-exposed Fortinet Fortigate SSL VPN servers in order to gain access to targets’ networks, the latest report from Kaspersky reveals.

Dubbed Cring (Crypt3r, Vjiszy1lo, Ghost, Phantom), the ransomware, which was discovered and reported by Swisscom CSIRT in January 2021, targets Fortigate VPN servers affected CVE-2018-13379, a path traversal vulnerability that allows unauthenticated attackers to obtain a session file that contains the username and plaintext password for the VPN.

According to Kaspersky, victims of the Cring ransomware attacks included industrial enterprises in European countries, and at least in one instance the attack “resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.”

“The attackers may have identified the vulnerable device themselves by scanning IP addresses. Alternatively, they may have bought a ready-made list containing IP addresses of vulnerable Fortigate VPN Gateway devices,” the researchers noted.

Upon compromising a target’s network, a live Cring operator conducts reconnaissance and deploys a customized version of the Mimikatz tool in an attempt to extract domain administrator credentials stored in server memory. The Cobalt Strike beacon is then used to install the Cring ransomware. To mask the attack, the installation files are disguised as security products from Kaspersky or other vendors.

To be able to encrypt database files and remove backup copies, the Cring ransomware terminates a number of processes, including Microsoft Office and Oracle Database processes, as well as the SstpSvc service, which is used to create VPN connections.

“It is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN. This was done to prevent system administrators from providing a timely response to the information security incident,” Kaspersky said.

Cring encrypts only specific files on the compromised devices using strong encryption algorithms (RSA-8192 + AES-128) after removing backup files with the extensions such as .VHD, .bac, .bak, .wbcat, .bkf, .set, .win, and .dsk.

“Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the attacked organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,” the researchers said.

“An analysis of the attackers’ activity demonstrates that, based on the results of reconnaissance performed on the attacked organization’s network, they chose to encrypt those servers the loss of which the attackers believed would cause the greatest damage to the enterprise’s operations.”

Back to the list

Latest Posts

Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025