The operators of the Cring ransomware are targeting users of Adobe VPN by exploiting an 11-year-old Adobe flaw. The group is known for exploiting old bugs in Adobe ColdFusion 9.

The recent attack

In the recent incident, the target was a services company having one internet-facing machine with old, out-of-date, and unpatched software.
  • Hackers exploited the flaws in Adobe ColdFusion, allowing them to target old Microsoft and Adobe products that have reached end-of-life.
  • The group used simple yet effective techniques to hide its files, such as injecting code into memory hiding tracks by overwriting files with garbage data or deleting logs.

Modus Operandi

Attackers first scanned the victim's website with automated tools to quickly discover the unpatched ColdFusion servers and gained its access.
They employed Mimikatz to move inside an organization and the Cobalt Strike tool to secure it inside the network to the hosts. 
  • They could reach to the file named password properties, and wrote garbled code on top to hide any footprints of their presence. 
  • About after two and a half days they obtained admin privileges and posted a ransom note.
  • Hackers then accessed timesheets/accounting information for payroll before compromising the internet-facing server and deployed the ransomware 79 hours later.

Who’s the Cring group

  • Cring ransomware operators focus their attacks on industrial businesses, where they intends to cease the production processes and result in financial losses.
  • The group is known for exploiting older vulnerabilities in its attacks.
  • The Cring ransomware group has been linked to hackers in Belarus and Ukraine. 


The dangers of using old and unpatched software are once again demonstrated by the Cring actors. Organizations must understand the risk of using aging software in their network. They should enforce processes for timely upgrades and make sure that no out-of-date critical business systems are facing the public internet.

Cyware Publisher