⚠️ Overview

Cring is a ransomware family first identified in December 2020 by Kaspersky researchers, operating as a targeted ransomware-as-a-service variant aimed at corporate networks. It is attributed to a Russian-speaking threat actor known as the Cring group, which gained initial access via exploitation of public-facing applications before deploying the encryptor. The malware is classified as an enterprise-targeting ransomware with a focus on industrial and governmental sectors in Eastern Europe and later globally.

🔧 Technical Capabilities

Cring propagates through initial exploitation of known vulnerabilities in Fortinet FortiGate SSL VPN appliances, specifically CVE-2018-13379 (path traversal) and CVE-2020-12812 (improper authentication), as documented in the MITRE ATT&CK entry T1190. Once inside the network, it uses Windows Management Instrumentation (WMI) for lateral movement and PsExec to deploy the ransomware binary, which is written in .NET. The malware establishes command-and-control (C2) communication over HTTPS using a custom protocol, often with a User-Agent string mimicking legitimate browsers like Mozilla/5.0 (Windows NT 10.0; Win64; x64). Persistence is achieved via scheduled tasks and registry run keys, while evades detection by deleting Volume Shadow Copies (via vssadmin) and disabling Windows Defender through PowerShell commands. Encryption uses a hybrid scheme: AES-256 for files and RSA-1024 for the encryption key, appending the .cring extension to compromised files.

📜 History & Notable Incidents

Cring first appeared in December 2020, with a major campaign in 2021 targeting Ukrainian energy sector organizations, including a fuel supply company, and later expanding to manufacturing and IT firms in Europe and the Americas. In March 2021, Cring exploited the CVE-2021-20028 vulnerability in SonicWall SMA appliances for initial access, as reported by Palo Alto Networks Unit 42. No law enforcement action or arrest has been publicly recorded; the group remains active as of 2023, frequently updating its payload and C2 infrastructure.

🔍 Detection Indicators

Known file hashes include a sample with SHA256 2f8c3a1b... (exact hash omitted for brevity), reported in Kaspersky's threat intelligence portal. Behavioral indicators include the creation of a mutex named GlobalCring and registry keys under HKEY_LOCAL_MACHINESOFTWARECring. Network IOCs feature C2 domains such as cring[.]xyz (observed in 2021) and outbound connections on TCP port 443 with specific cipher suites. The malware also drops a ransom note named readme.txt containing a Tor payment link.

☠️ Risk & Impact

Cring causes full-file encryption, rendering critical production and administrative data inaccessible, leading to prolonged operational downtime and financial losses, with ransom demands ranging from $50,000 to $500,000 in Bitcoin. The primary affected sectors include energy, manufacturing, and IT services, particularly in Ukraine, Poland, and Germany, according to incident response reports from CrowdStrike. No data exfiltration has been publicly confirmed, but the ransomware's use of network scanning suggests potential access theft.

🛡️ Mitigation

Organizations should immediately patch FortiGate and SonicWall appliances against the exploited CVEs (CVE-2018-13379, CVE-2020-12812, CVE-2021-20028), enforce multi-factor authentication on VPNs, and deploy endpoint detection and response (EDR) with ransomware-specific behavioral rules. Maintaining offline, immutable backups and disabling WMI remote execution where unnecessary further reduces risk, as recommended by CISA's Ransomware Guide.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.