Cylance Ransomware Dissection
Researchers have spotted a new ransomware strain with the name Cylance Ransomware.
Samples of the ransomware’s payload have already been collected after successful attacks were launched on unnamed victims.
Researchers revealed the existence of the Cylance strain this week, stating that it appears to be targeting both Windows and Linux machines. Little known information exists on its TTP due to its recent emergence
The ransom note left to victims has been published, including details of the threat actors’ email addresses but not the ransom itself. The sum will most likely be revealed to the victim after they make contact with the attackers.
“All your files are encrypted and currently unusable, but you need to follow our instructions. Otherwise, you can’t return your data (never), It’s just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities , nobody will cooperate with us. It’s not in our interests. To check the ability of returning files, we decrypt one file for free. That is our guarantee. If you will not cooperate with our service – for us, it does not matter. But you will lose time and data cause just we have the private key. time is more valuable than money.”
The files are encrypted and appended with a ‘.Cylance’ extension. A text document named ‘Read Me’ is also added to all affected file folders, containing the demands of the threat actor.
It is believed that the REvil ransomware group could be behind Cylance Ransomware as part of a “grudge”. There is little to materialy connect Cylance and REvil, other than the fact that Cylance conducted research to identify and share REvil telemetry in the course of its security operations.
In November 2021, international law enforcement agencies arrested a number of REvil gang members and shortly afterwards it was reported that US federal agencies had forced REvil servers offline.
Unlike REvil, Cylance Ransomware does not appear to follow a double extortion model. This is when a company’s data is stolen by a ransomware group in addition to being encrypted, and the firm is asked to pay a sum or face its data being leaked online.
This research was documented by researchers from Palo Alto Unit42