Experts from Kaspersky ICS CERT conducted an investigation into a series of Cring ransomware attacks. Among the victims were industrial enterprises in European countries, where hackers extorted bitcoins.
The attacks took place in early 2021 and, in at least one case, led to a temporary halt in production at two Italian plants of an international industrial group headquartered in Germany.
Investigators found that to infiltrate the system, the Cring ransomware exploited a vulnerability in Fortigate VPN servers. It allows an attacker, without authentication, to connect to the device and remotely access the session file that contains the username and password in clear text.
The issue was fixed by the vendor in 2019, but not all device owners had updated them yet. In autumn 2020, discussions on dark-web forums began offering to purchase a database of IP addresses of vulnerable devices.
Having gained access to the first system in the corporate network, Cring operators used the Mimikatz utility to steal Windows user credentials of users who had previously logged on to the initially compromised computer. With its help, the attackers managed to steal the credentials of a domain administrator.
Next, the hackers selected several systems deemed critical for the operation of the industrial facility and launched Cring ransomware on them.
Attack scheme. Data: Kaspersky Lab.
To restore access to the encrypted servers, the operators demanded a ransom of 2 BTC.
Ransom note. Data: Kaspersky Lab.
Details of the attack indicate that the attackers carefully studied the attacked organization’s infrastructure.
“The attackers’ scripts masked the malware’s activity by simulating the security solution used at the enterprise, and terminated the processes of database servers (Microsoft SQL Server) and backup systems (Veeam) used on the systems selected for encryption,” said Kaspersky ICS CERT.
To prevent such attacks, company specialists recommend timely updating antivirus databases and the software modules of protective solutions used on devices.
In late March, the internal systems of the Canadian IoT device maker Sierra Wireless were paralyzed by a ransomware attack.
An unnamed malware encrypted the company’s internal network, causing employees to lose access to documents and systems related to production and planning.
Subscribe to ForkLog news on Telegram: ForkLog Feed — the full news feed, ForkLog — the most important news, infographics and opinions.