Examining the Cring Ransomware Techniques Sr. Threat Research Engineer

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Here is a more detailed description of this chain:

Initial Access

The Cring ransomware gains initial access either through unsecure or compromised RDP or valid accounts.

The ransomware can also get into the system through certain vulnerability exploits.. The abuse of the aforementioned Adobe ColdFusion flaw (CVE-2010-2861) to enter the system is a new development for the threat. In the past, Cring was also used to exploit a FortiGate VPN server vulnerability (CVE-2018-13379).

Credential Access

Threat actors behind Cring used weaponized tools in their attacks. One of these tools is Mimikatz, which was used to steal account credentials of users who had previously logged into the system.

Lateral Movement and Defense Evasion

Lateral movement was done through Cobalt Strike. This tool was also used to distribute BAT files that will be used later for various purposes, including impairing the system’s defenses.

Command and Control and Execution

Cobalt Strike was also used to continuously

Read the article