Cylance Ransomware

New Cylance Ransomware with Power-Packed CommandLine Options

Ransomware Targets Both Windows and Linux Operating System Users

Ransomware is the most significant threat to the cybersecurity infrastructure of organizations, as it involves the encryption of victims’ files and a demand for payment in exchange for the decryption key. Ransomware attacks can result in severe consequences such as financial loss, data loss, and damage to reputation. Despite the potential for significant financial gain, the emergence of new ransomware groups shows no sign of decreasing.

Recently, Cyble Research and Intelligence Labs (CRIL) came across a tweet from Unit 42, a division of Palo Alto Networks, revealing a new ransomware that can attack both Linux and Windows operating systems. This ransomware appears to be in the developmental stage, as little information is currently available regarding its victims. The group responsible for it has not yet created a leak site to showcase its victims.

The ransom message left by the ransomware identifies itself as the Cylance ransomware, but it is important to note that this should not be confused with the cybersecurity company Cylance, which was acquired by BlackBerry. The two are distinct and unrelated entities. This blog provides technical insights into the Cylance ransomware’s Windows and Linux versions.

Technical details

Cylance Ransomware: Windows

For analysis purposes, we have taken a sample hash, ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd, which represents a 32-bit Console-based binary executable file built with Microsoft Visual C/C++ compiler, designed to run on Windows operating systems.

Figure 1 – Static Windows ransomware executable file details

Cylance ransomware can accept different command line parameters and can flexibly adjust to customized encryption tactics, as mentioned below:

-pathSpecifies the path that is targeted for encryption.
-modeThe ransomware’s processing mode can be set using this switch. The available options are “full,” “fast,” “split,” or “custom.” Full mode: The ransomware encrypts all files irrespective of their size or type and encrypts all the data contained within each file.Fast mode: encrypts all types of files, but only the initial 1MB of data within each fileSplit mode: encrypts files from a specific offset, and it requires the ‘-skip’ command to be used.Custom mode: encrypts all types of file files with a custom offset range, and it requires the ‘-skip’ command to be used.
-prioritySpecifies the priority level of the ransomware, where the value “off” disables the priority setting, and any other value enables it.
-skipSpecifies the number of bytes to be skipped during the encryption process.
-powerSpecifies the action to be taken after completing the task. The Power options available are: Shutdown: turns off the system. Restart: reboots the system.
-consoleDisplays the statistics of ransomware encryption Details.
-nomutexExecute the ransomware without generating a mutex.
-nonet-driveExclude network drive from encryption.
-nodelDo not remove the ransomware after completing the encryption process.

If the ‘-path’ parameter is not specified, the encryption process will proceed sequentially by scanning the drives starting from A-Z.

Modify privileges:

When executed, the ransomware first enables various Windows privileges for the current process, thereby allowing access to restricted actions that are typically permitted only for processes with higher privileges. These actions include debugging other processes, modifying system security settings, and restoring files and directories.

Below is the list of privileges that the ransomware tries to enable:

  • SeDebugPrivilege: allows a process to debug other processes running on the system.
  • SeRestorePrivilege: allows a process to bypass certain security restrictions when restoring files or directories.
  • SeBackupPrivilege: allows a process to bypass certain security restrictions when backing up files or directories. This privilege is typically used by backup and restore programs.
  • SeTakeOwnershipPrivilege: allows a process to take ownership of objects on the system, such as files, directories, and registry keys.
  • SeAuditPrivilege: allows a process to generate audit messages for specific security events on the system.
  • SeSecurityPrivilege: allows a process to modify system security settings, such as user rights and privileges, audit policies, and security policies.
  • SeIncreaseBasePriorityPrivilege: allows a process to increase its own base process priority, potentially allowing it to use more system resources and execute more quickly.

The following code snippet is an illustration of how ransomware modifies privileges.

Figure 2 – Modify privileges

After modifying the privileges, the ransomware creates a global mutex named“Global\CylanceMutex” to ensure that only one instance of the malware runs on the victim’s system at any given time. If the malware detects that the mutex already exists on the machine, it terminates its execution, as shown in the below figure.

Figure 3 – Create mutex

Persistence

Afterward, the ransomware creates a scheduled task entry for persistence, enabling it to run automatically every time the victim logs into their computer. The code snippet below depicts how the ransomware establishes persistence on the compromised system.

Figure 4 – Ransomware persistence

Next, the ransomware utilizes the GetDriveTypeW(), FindFirstVolumeW(), and FindNextVolumeW() API functions to gather details about disk volumes and their associated file systems. This helps the malware to determine the specific drives and directories that need to be encrypted during the encryption process, as shown in the below figure.

Figure 5 – Enumerate system drives

After obtaining the volume details, the ransomware enumerates folders and places a ransom note named “CYLANCE_README.txt” in multiple folders using the code snippet illustrated in the figure below.

Figure 6 – Malware writing Ransom note

The image below depicts the ransom note dropped by the ransomware, named “CYLANCE_README.txt,” which provides instructions to the victims to pay a ransom in return for the decryption tool.

Figure 7 – Cylance Ransom note

Once the ransom note is dropped, the ransomware searches through files and directories by utilizing the FindFirstFileW() and FindNextFileW() API functions to identify files that require encryption.

The ransomware utilizes Salsa20 encryption algorithms, a speedy stream encryption algorithm, for encrypting the files. The encryption mode used by the ransomware is determined by the command line parameter specified during execution.

Figure 8 – Code snippet of the encryption

During its encryption process, the Cylance ransomware avoided certain folder names, file names, and file extensions, as mentioned in the table below.

File extensionFile namesFolder names
.exe, .dll, .sys, .msi, .lnk, .drv, .efi, .CylanceNtldr
ntuser.dat
bootsect.bak
ntuser.dat.log
autorun.inf
thumbs.db
iconcache.db
bootfont.bin
boot.ini desktop.ini
ntuser.ini
bootmgr
BOOTNXT CYLANCE_README.txt LPW5.tmp MSVC150.dll LLKFTP.bmp
Windows $Windows.~bt $windows.~ws windows.old windows nt All Users Public Boot Intel PerfLogs System Volume Information MSOCache $RECYCLE.BIN Default Config.Msi tor browser Microsoft Google Yandex

Finally, the ransomware renames the encrypted files with the extension “.Cylance”, then replaces them with the original file using the MoveFileExW() API function, as shown below.

Figure 9 – MoveFileExW() API

The below figure shows the files encrypted by Cylance ransomware after the successful infection of a victim’s machine.

Figure 10 – Files encrypted by Cylance Ransomware

Additionally, the ransomware executes a WMI query with the following command line to identify and deletes the shadow copy via “Win32_ShadowCopy.ID”:

  • SELECT * FROM Win32_ShadowCopy where Win32_ShadowCopy.ID=’%s'”

When Threat Actors (TAs) delete shadow copies, it becomes difficult for the victims to restore their files through this method. As a result, the victims are more likely to pay the ransom demands to regain access to their files.

Upon completion of the infection process, the ransomware displays statistics detailing the operation. This includes the number of files that were encrypted, the number of files sent for encryption, the number of files processed during encryption, and the total amount of encrypted data.

The figure below illustrates the encryption details displayed by the ransomware after infection.

Figure 11 – File encryption details

Cylance Ransomware: Linux

The file is a 64-bit AMD64-based ELF executable file with sha256 as d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c. The figure below shows the static file details.

Figure 12 – Static Linux ransomware executable File Details

The TAs manually execute the Linux version of Cylance on the compromised system, providing the targeted folder as an argument. The Linux executable then proceeds to encrypt the files in the targeted folder and its subfolders while dropping a ransom note in each affected directory. The figure below shows the code responsible for dropping ransom notes in the system.

Figure 13 – Ransomware Dropping Ransom Notes and Finding Files Recursively

The ransomware uses ChaCha Stream Cipher for encryption, which is a variant of the Salsa20 encryption algorithm. After encryption, the ransomware appends “.Cylance”  extension to the encrypted filename. The figure below shows the Encryption loop and extension of the Cylance ransomware.

Figure 14 – File Encryption and Ransomware Extension

While encrypting files, the ransomware lists the filenames that have been processed for the encryption process, along with a detailed summary of the encryption statistics. This includes information such as the number of files that were successfully encrypted, the number of files that were not encrypted, the number of files that were skipped, as well as the total count and size of the encrypted data.

The figure below shows the encryption details after file encryption.

Figure 15 – File encryption details

The ransom note left by the malware contains instructions for the victims to contact the TAs via email, specifying their Unique Victim ID, in order to initiate the process of recovering their encrypted files.

The figure below shows the encrypted files and ransom note.

Figure 16 – Encrypted files and Ransom note drooped by Cylance

 Conclusion

From the primitive ransom note and the absence of a data leak website or support page, it can be inferred that the ransomware group is in its early stages. It’s worth noting that there is a growing trend of ransomware attacks targeting both Linux and Windows operating systems.

As organizations implement measures to protect themselves against ransomware attacks, there is a corresponding increase in the number of new ransomware groups emerging. These groups continuously evolve their tactics and expand their operations to maximize their financial gains.

Cyble Research and Intelligence Labs constantly track new ransomware campaigns to ensure our readers are informed about the most recent discoveries.

Our Recommendations

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Initial AccessT1133
T1566
T1091
External Remote Services
Phishing
Replication Through Removable Media
ExecutionT1059 
T1204
T1047
Command and Scripting Interpreter
User Execution
Windows Management Instrumentation
PersistenceT1053Scheduled Task/Job
Privilege EscalationT1134Access Token Manipulation
Defense EvasionT1564
T1027
Hidden Window
Obfuscated Files or Information
DiscoveryT1082 
T1135
T1083
System Information Discovery 
Network Share Discovery
File and Directory Discovery
ImpactT1486 Data encrypted for impact

Indicators of Compromise (IoCs)

Indicators Indicator Type Description 
521666a43aeb19e91e7df9a3f9fe76ba
663081e2767df7083f765a3a8a994982959d4cbe
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd
MD5
SHA1
SHA256
Windows
Cylance
Ransomware
executable
4601076b807ed013844ac7e8a394eb33
933ad0a7d9db57b92144840d838f7b10356c7e51
d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c
MD5
SHA1
SHA256
Linux
Cylance
Ransomware
executable

Comments are closed.

Scroll to Top