{
	"id": "87f0d426-ef12-4b1a-a8f8-ff254852f860",
	"created_at": "2026-04-06T00:17:28.29765Z",
	"updated_at": "2026-04-10T03:24:24.477485Z",
	"deleted_at": null,
	"sha1_hash": "10b2f37f94ce3b2f0b23b9fed50ff784e5bf07ea",
	"title": "Examining the Cring Ransomware Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52626,
	"plain_text": "Examining the Cring Ransomware Techniques\r\nBy By: Warren Sto.Tomas Sep 24, 2021 Read time: 4 min (1004 words)\r\nPublished: 2021-09-24 · Archived: 2026-04-05 16:22:58 UTC\r\nHere is a more detailed description of this chain:\r\nInitial Access\r\nThe Cring ransomware gains initial access either through unsecure or compromised RDP or valid accounts.\r\nThe ransomware can also get into the system through certain vulnerability exploits.. The abuse of the\r\naforementioned Adobe ColdFusion flaw (CVE-2010-2861open on a new tab) to enter the system is a new\r\ndevelopment for the threat. In the past, Cring was also used to exploit a FortiGate VPN server vulnerability (CVE-2018-13379open on a new tab).\r\nCredential Access\r\nThreat actors behind Cring used weaponized toolsnews- cybercrime-and-digital-threats in their attacks. One of\r\nthese tools is Mimikatz, which was used to steal account credentials of users who had previously logged into the\r\nsystem.\r\nLateral Movement and Defense Evasion\r\nLateral movement was done through Cobalt Strike. This tool was also used to distribute BAT files that will be\r\nused later for various purposes, including impairing the system’s defenses.\r\nCommand and Control and Execution\r\nCobalt Strike was also used to continuously communicate with the main command-and-control (C\u0026C) server.\r\nBAT files were used to download and execute the Cring ransomware on the other systems in the compromised\r\nnetwork. It also uses the Windows CertUtil program to help with the said download.\r\nImpact\r\nOnce Cring has been executed in the system, it disables services and processes that might hinder the ransomware’s\r\nencryption routine. The threat will also delete backup files and folders. This will make restoring the encrypted\r\nfiles difficult for the victim, thereby placing more pressure on them to pay the ransom.\r\nThe ransomware will then proceed with its encryption routine and delete itself using a BAT file.\r\nRegions and industries with the Cring ransomware  detections\r\nBased on our data, most of the Cring ransomware detections for attempted attacks were observed in Europe and\r\nthe Middle East and Africa (EMEA) region. There have also been incidents in the Latin American Region (LAR),\r\nhttps://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html\r\nPage 1 of 4\n\nAsia Pacific (APAC), and North America (NABU).\r\nThe affected countries in the said regions were Azerbaijan, Brazil, Italy, Mexico, Saudi Arabia, the United States,\r\nand Turkey. With regard to industries, detections affected the finance and transportation sectors. Indeed,\r\nransomware has been consistently attacking critical industries, as we discuss in our midyear report.\r\nHow to protect systems from ransomware\r\nWith ransomware, prevention is one of the most potent forms of protection. A proactive approach such as patching\r\nvulnerabilities and monitoring systems for signs of unusual behavior helps curb ransomware before it can cause\r\nany real damage to a system.\r\nIn the larger scheme of things, coming up with ransomware defense plans will help enterprises know which steps\r\nto prioritize.  Here are some best practices that follow the lead of frameworks set by the Center of Internet\r\nSecurityopen on a new tab (CIS)and the National Institute of Standards and Technologyopen on a new tab (NIST):\r\nAudit events and take inventory. Audit both event and incident logs to spot suspicious behavior. Take\r\nnote of all assets and data. Identify authorized and unauthorized devices and programs. \r\nConfigure and monitor. Manage hardware and software configurations. Only grant\r\nadministrative privileges when necessary.\r\nPatch and update. Conduct regular vulnerability assessments and patching or virtual patching for\r\noperating systems and programs. Update software and applications.\r\nProtect systems and recover data. Administer data protection, backup, and recovery\r\nmeasures. Implement multifactor authentication (MFA). \r\nSecure and defend layers: Perform sandbox analysis to filter malicious emails. Employ security solutions\r\nto all layers of the system such as email, endpoint, web, and network. \r\nTrain and test. Conduct regular training and security skills assessment for employees. Perform red-team exercises and penetration tests.\r\nTrend Micro solutions\r\nOrganizations can benefit from multilayered protection (for layers such as endpoint, email, web, and network)\r\nwith security solutions that can detect malicious components and help monitor concealed malicious behaviors in\r\nthe system.  \r\nTrend Micro Vision One™products spots suspicious behaviors that might seem insignificant when observed from\r\nonly a single layer. Trend Micro Apex One™products protects endpoint devices through automated threat\r\ndetection and response against ransomware, fileless threats, and other advanced concerns. \r\nTrend Micro Cloud One™ Workload Securityproducts defends systems against threats that exploit vulnerabilities.\r\nThis is done through virtual patching, machine learning (ML), and harnessing the latest in global threat\r\nintelligence.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block ransomware before it gets into the system, since one of the ways ransomware\r\nhttps://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html\r\nPage 2 of 4\n\nspreads is through malicious emails.\r\nIndicators of Compromise (IOCs)\r\nSHA-256\r\nTrend Micro Pattern\r\nDetection\r\nf7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8 Ransom.MSIL.CRYNG.A\r\ne687308cd4184e17c33fa9e44686e7d6a4d73adf65f7fb3cac9c4ad765b4ffdf Ransom.Win32.CRING.C\r\n771a680f9a09a7a73ac2678f31f4d82fce49c046cc5f4c415cea5310b833911f Trojan.BAT.DISABLER.AA\r\n71821ddb0b49f5b91fc520ca3de1c5ea7cee3bf166ddebd625859966fc5221a2 Trojan.BAT.CRING.A\r\na999e096a9fb6a994f4d58b04001c61bb2d1fd0d4f0fa87a5be0b61b23591f24 Trojan.PS1.COBEACON.FAIN\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nTactic Technique\r\nInitial access\r\nT1078: Valid Accounts\r\nT1190: Exploit Public-Facing Application\r\nExecution T1059: Command and Scripting Interpreter\r\nPersistence T1546.012: Event Triggered Execution: Image File Execution Options Injection\r\nPrivilege Escalation T1078.002: Valid Accounts: Domain Accounts\r\nhttps://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html\r\nPage 3 of 4\n\nDefense Evasion\r\nT1562.001: Impair Defenses: Disable or Modify Tools\r\nT1070.004: Indicator Removal on Host: File Deletion\r\nCredential Access\r\nT1003: OS Credential Dumping\r\nT1552: Unsecured Credentials\r\nDiscovery T1083: File and Directory Discovery\r\nLateral Movement\r\nT1570: Lateral Tool Transfer\r\nT1105: Remote File Copy\r\nT1021: Remote Services\r\nCommand and Control\r\nT1090: Proxy\r\nT1105: Ingress Tool Transfer\r\nT1043: Commonly Used Port\r\nT1188: Multi-hop Proxy\r\nT1094: Custom Command and Control Protocol\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nImpact\r\nT1486: Data Encrypted for Impact\r\nT1489: Service Stop\r\nT1485: Data Destruction\r\nT1490: Inhibit System Recovery\r\nSource: https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html\r\nhttps://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html"
	],
	"report_names": [
		"examining-the-cring-ransomware-techniques.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434648,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/10b2f37f94ce3b2f0b23b9fed50ff784e5bf07ea.pdf",
		"text": "https://archive.orkl.eu/10b2f37f94ce3b2f0b23b9fed50ff784e5bf07ea.txt",
		"img": "https://archive.orkl.eu/10b2f37f94ce3b2f0b23b9fed50ff784e5bf07ea.jpg"
	}
}