yankywilson/ghost-cring-defender-toolkit

# Ghost (Cring) Ransomware — Defender Toolkit [](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a) []() []() []() ## What this is A defender-focused companion to a binary-level case study of one ransomware sample listed in **CISA / FBI / MS-ISAC joint advisory AA25-050A** (#StopRansomware: Ghost (Cring) Ransomware). The advisory provided MD5-only IOCs and family-level TTPs. This repository extracts what binary analysis adds on top: behavioral signatures, hunt-quality artifacts, and operational hardening that the advisory does not surface. **Sample under analysis:** | Field | Value | |---|---| | Filename per advisory | `Cring.exe` | | MD5 | `c5d712f82d5d37bb284acd4468ab3533` | | **SHA-256** | `f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8` | | SHA-1 | `3426e8dcb104d9b01874498fb44c6e460228a9a0` | | File type | PE32, .NET Framework 4.0, MSIL/C# | | Size | 17,408 bytes | | First public sighting | 8 April 2021 (MalwareBazaar) | | Internal name | `Crypt3r` | | Source advisory | [AA25-050A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a), 19 February 2025 | ## ⚠️ Scope and currency caveat — read this first **Treat this toolkit as:** - ✅ **Solid** — for historical Ghost / Cring / Crypt3r incidents and any environments still seeing this exact payload - ✅ **Useful** — as a pattern library for the family; the AES-CBC + RSA-OAEP hybrid architecture, the LOLBin-driven service kill chain, the .NET runtime dependency, and the network-drive targeting profile all generalise across the family - ✅ **Honest** — every detection rule is annotated with which artifact it keys on so you can decide whether it survives variant evolution - ⚠️ **Not current** — for what active Ghost operators deployed last week; for that, ingest the latest CISA STIX bundle and supplement with these patterns Generalisable findings versus sample-specific findings are tagged throughout. ## Repository layout ghost-cring-defender-toolkit/ ├── README.md ← you are here ├── docs/ │ ├── THREAT-PROFILE.md ← Ghost family characterisation │ ├── BINARY-ANATOMY.md ← what the sample does, in detail │ ├── ADVISORY-GAP-NOTES.md ← what AA25-050A omits │ └── REFERENCES.md ← external sources ├── detection/ │ ├── yara/ ← static signatures │ ├── sigma/ ← platform-neutral behavioral rules │ ├── splunk/ ← SPL searches │ ├── sentinel/ ← KQL queries for Microsoft Sentinel / Defender XDR │ ├── elastic/ ← EQL / ES|QL queries │ └── crowdstrike/ ← CrowdStrike Falcon search queries ├── intel/ │ ├── stix/ ← STIX 2.1 JSON IOC bundle │ ├── iocs/ ← flat-file IOC lists (one per type) │ └── ATTRIBUTION-NOTES.md ← what binary artifacts reveal ├── hunting/ │ ├── HUNT-HYPOTHESES.md ← named hunts with rationale │ ├── kql-hunts.md ← KQL hunt queries with explanations │ └── splunk-hunts.md ← SPL hunt queries with explanations ├── hardening/ │ ├── PREVENTION-CHECKLIST.md ← prioritised hardening steps │ ├── BACKUP-STRATEGY.md ← ransomware-resilient backup design │ └── windows-hardening.md ← Windows-specific controls ├── playbooks/ │ ├── IR-PLAYBOOK.md ← we just got hit │ ├── HUNT-PLAYBOOK.md ← we suspect we're compromised │ └── tabletop-scenario.md ← red-team exercise script ├── network/ │ ├── firewall-rules.md ← suggested egress controls │ └── proxy-blocklists.md ← email service blocking guidance └── mitre/ └── attack-navigator-layer.json ← MITRE ATT&CK Navigator layer ## Quick start by role | You are a… | Start here | |---|---| | **SOC analyst** with a fresh alert | [`playbooks/HUNT-PLAYBOOK.md`](playbooks/HUNT-PLAYBOOK.md) | | **IR responder** with a confirmed incident | [`playbooks/IR-PLAYBOOK.md`](playbooks/IR-PLAYBOOK.md) | | **Threat hunter** building proactive queries | [`hunting/HUNT-HYPOTHESES.md`](hunting/HUNT-HYPOTHESES.md) | | **Detection engineer** writing new rules | [`detection/sigma/`](detection/sigma/) and the per-platform folders | | **Security architect** planning prevention | [`hardening/PREVENTION-CHECKLIST.md`](hardening/PREVENTION-CHECKLIST.md) | | **CTI analyst** ingesting indicators | [`intel/stix/aa25-050a-cring-extended.json`](intel/stix/) | | **Tabletop exercise lead** | [`playbooks/tabletop-scenario.md`](playbooks/tabletop-scenario.md) | | **Reading this for portfolio review** | [`docs/ADVISORY-GAP-NOTES.md`](docs/ADVISORY-GAP-NOTES.md) ← the analytical contribution | ## What the AA25-050A advisory gave us — and what it didn't The advisory provided: - 14 MD5 hashes (Table 2) - 33 ransom email addresses (Table 3) - 11 third-party tools used by the actor (Table 1) - A full MITRE ATT&CK mapping (Tables 4–13) - A list of six initial-access CVEs - The verbatim Defender-disable PowerShell command line — a high-fidelity detection rule - The base64 prefix of the encoded PowerShell Beacon loader The advisory **did not** provide for this MD5: - SHA-256, SHA-1, SSDEEP, or imphash (these exist in the STIX bundle for this sample, but not in the PDF) - The ransom email associated with this sample (`qkhooks0708@protonmail.com`) - The dropped batch artifact names and hashes (`kill.bat` MD5 `fe0ccc3a...`, `killme.bat`) - The targeted file-extension list (22 patterns recoverable statically) - The embedded RSA public-key blob (a per-operator hunt anchor) - The .NET Framework 4.0 runtime dependency - Build-environment artifacts: leaked PDB path, assembly GUID, default VS template residue - The required `cc` command-line execution gate - The specific service kill list and process termination targets This repo fills those gaps for the sample at hand. See [`docs/ADVISORY-GAP-NOTES.md`](docs/ADVISORY-GAP-NOTES.md) for the full breakdown. ## Decryption advisory — important **Files encrypted by this binary cannot be decrypted without the operator's RSA private key.** The binary implements hybrid encryption correctly: AES-CBC with a per-file random 256-bit key and 128-bit IV, wrapped with RSA-OAEP using a 2048-bit embedded public key. There is no: - Hardcoded AES key - Weak random number generator - Key reuse across files - Implementation flaw that yields plaintext recovery The only paths to recovery are: 1. **Restore from clean offline backups** — see [`hardening/BACKUP-STRATEGY.md`](hardening/BACKUP-STRATEGY.md) 2. **Volume Shadow Copy recovery** — this sample, unusually, does NOT delete VSS (advisory claims T1490 at the family level, but this specific MD5 doesn't enact it). Check `vssadmin list shadows` before assuming shadow copies are gone. 3. **Negotiation channels** — out of scope for this repository; consult law enforcement and your incident-response retainer Do not run any tool claiming to decrypt `.cring` files without operator private-key access. Such tools do not exist. ## Attribution and limitations - All analysis was performed in an isolated FLARE-VM Windows 11 sandbox with no network egress. - The sample is .NET; dnSpy decompilation produced near-source C# from which the findings below are derived. - Findings are categorised in each file as **Sample-specific**, **Family-general**, or **Methodological**. - Cryptographic claims (algorithm, mode, padding) are derived from static decompilation, not from a chosen-plaintext attack. - This work does not address or refute AA25-050A's actor-attribution claims (China-located actors, 70+ countries impacted). Those rest on FBI investigative data not accessible to outside analysts. ## License MIT for all documentation and detection logic. The advisory text itself remains TLP:CLEAR per CISA's distribution terms. ## Acknowledgments - CISA, FBI, MS-ISAC for AA25-050A - abuse.ch MalwareBazaar for sample availability - recordedfuture.com Triage for the public sandbox corpus - The dnSpy, CAPA, FLARE-VM, PEStudio, and Detect It Easy maintainers - The original Cring family disclosure by Amigo_A (BleepingComputer, January 2021) and the Sophos Labs writeup of the same period *Built as a companion artifact to a multi-case academic study on advisory-reality discrepancies in published cybersecurity advisories. Constructive critique, defender first.*