The Cring ransomware group will be happy to infiltrate your network and hold your data hostage!
Imagine an 11-year-old Adobe ColdFusion 9 server still operating today—waiting to be compromised by cybercriminals.
That is what happened when Cring ransomware operators mounted an attack on the unpatched server. Timesheet and accounting data for payroll were stolen, and the server was even used to host multiple virtual machines for nefarious uses.
The breach took place within minutes, and the ransomware was activated 79 hours later.
According to the cybersecurity firm that researched this attack, Sophos, the attackers began by scanning the target’s website using automated tools. From there, they were able to break in within minutes once they identified that it was running the unpatched ColdFusion software on a server. Following the initial breach, the attackers used fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by overwriting files with garbled data or deleting logs and other artefacts that threat hunters could use in an investigation.
The attackers also posted a ransom note announcing that they also exfiltrated data that is “ready to leak in case we can not (sic) make a good deal.”
Commenting on this, Andrew Brandt, the firm’s Principal Researcher, said: “Devices running vulnerable, outdated software are low-hanging-fruit for cyber attackers. Cring ransomware isn’t new, but it’s uncommon. In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades.
IT administrators can benefit from having an accurate inventory of all their connected assets and cannot leave out-of-date critical business systems facing the public internet, according to Brandt.
Other than the above warning about running old unpatched software and keeping an accurate inventory of connected assets, IT administrators can follow the usual best practices for resilience against ransomware attacks.