Ransomware Targets Both Windows and Linux Operating System Users
Ransomware is the most significant threat to the cybersecurity infrastructure of organizations, as it involves the encryption of victims’ files and a demand for payment in exchange for the decryption key. Ransomware attacks can result in severe consequences such as financial loss, data loss, and damage to reputation. Despite the potential for significant financial gain, the emergence of new ransomware groups shows no sign of decreasing.
Recently, Cyble Research and Intelligence Labs (CRIL) came across a tweet from Unit 42, a division of Palo Alto Networks, revealing a new ransomware that can attack both Linux and Windows operating systems. This ransomware appears to be in the developmental stage, as little information is currently available regarding its victims. The group responsible for it has not yet created a leak site to showcase its victims.
The ransom message left by the ransomware identifies itself as the Cylance ransomware, but it is important to note that this should not be confused with the cybersecurity company Cylance, which was acquired by BlackBerry. The two are distinct and unrelated entities. This blog provides technical insights into the Cylance ransomware’s Windows and Linux versions.
Technical details
Cylance Ransomware: Windows
For analysis purposes, we have taken a sample hash, ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd, which represents a 32-bit Console-based binary executable file built with Microsoft Visual C/C++ compiler, designed to run on Windows operating systems.
Cylance ransomware can accept different command line parameters and can flexibly adjust to customized encryption tactics, as mentioned below:
| -path | Specifies the path that is targeted for encryption. |
| -mode | The ransomware’s processing mode can be set using this switch. The available options are “full,” “fast,” “split,” or “custom.” Full mode: The ransomware encrypts all files irrespective of their size or type and encrypts all the data contained within each file.Fast mode: encrypts all types of files, but only the initial 1MB of data within each fileSplit mode: encrypts files from a specific offset, and it requires the ‘-skip’ command to be used.Custom mode: encrypts all types of file files with a custom offset range, and it requires the ‘-skip’ command to be used. |
| -priority | Specifies the priority level of the ransomware, where the value “off” disables the priority setting, and any other value enables it. |
| -skip | Specifies the number of bytes to be skipped during the encryption process. |
| -power | Specifies the action to be taken after completing the task. The Power options available are: Shutdown: turns off the system. Restart: reboots the system. |
| -console | Displays the statistics of ransomware encryption Details. |
| -nomutex | Execute the ransomware without generating a mutex. |
| -nonet-drive | Exclude network drive from encryption. |
| -nodel | Do not remove the ransomware after completing the encryption process. |
If the ‘-path’ parameter is not specified, the encryption process will proceed sequentially by scanning the drives starting from A-Z.
Modify privileges:
When executed, the ransomware first enables various Windows privileges for the current process, thereby allowing access to restricted actions that are typically permitted only for processes with higher privileges. These actions include debugging other processes, modifying system security settings, and restoring files and directories.
Below is the list of privileges that the ransomware tries to enable:
- SeDebugPrivilege: allows a process to debug other processes running on the system.
- SeRestorePrivilege: allows a process to bypass certain security restrictions when restoring files or directories.
- SeBackupPrivilege: allows a process to bypass certain security restrictions when backing up files or directories. This privilege is typically used by backup and restore programs.
- SeTakeOwnershipPrivilege: allows a process to take ownership of objects on the system, such as files, directories, and registry keys.
- SeAuditPrivilege: allows a process to generate audit messages for specific security events on the system.
- SeSecurityPrivilege: allows a process to modify system security settings, such as user rights and privileges, audit policies, and security policies.
- SeIncreaseBasePriorityPrivilege: allows a process to increase its own base process priority, potentially allowing it to use more system resources and execute more quickly.
The following code snippet is an illustration of how ransomware modifies privileges.
After modifying the privileges, the ransomware creates a global mutex named“Global\CylanceMutex” to ensure that only one instance of the malware runs on the victim’s system at any given time. If the malware detects that the mutex already exists on the machine, it terminates its execution, as shown in the below figure.
Persistence
Afterward, the ransomware creates a scheduled task entry for persistence, enabling it to run automatically every time the victim logs into their computer. The code snippet below depicts how the ransomware establishes persistence on the compromised system.
Next, the ransomware utilizes the GetDriveTypeW(), FindFirstVolumeW(), and FindNextVolumeW() API functions to gather details about disk volumes and their associated file systems. This helps the malware to determine the specific drives and directories that need to be encrypted during the encryption process, as shown in the below figure.
After obtaining the volume details, the ransomware enumerates folders and places a ransom note named “CYLANCE_README.txt” in multiple folders using the code snippet illustrated in the figure below.
The image below depicts the ransom note dropped by the ransomware, named “CYLANCE_README.txt,” which provides instructions to the victims to pay a ransom in return for the decryption tool.
Once the ransom note is dropped, the ransomware searches through files and directories by utilizing the FindFirstFileW() and FindNextFileW() API functions to identify files that require encryption.
The ransomware utilizes Salsa20 encryption algorithms, a speedy stream encryption algorithm, for encrypting the files. The encryption mode used by the ransomware is determined by the command line parameter specified during execution.
During its encryption process, the Cylance ransomware avoided certain folder names, file names, and file extensions, as mentioned in the table below.
| File extension | File names | Folder names |
| .exe, .dll, .sys, .msi, .lnk, .drv, .efi, .Cylance | Ntldr ntuser.dat bootsect.bak ntuser.dat.log autorun.inf thumbs.db iconcache.db bootfont.bin boot.ini desktop.ini ntuser.ini bootmgr BOOTNXT CYLANCE_README.txt LPW5.tmp MSVC150.dll LLKFTP.bmp | Windows $Windows.~bt $windows.~ws windows.old windows nt All Users Public Boot Intel PerfLogs System Volume Information MSOCache $RECYCLE.BIN Default Config.Msi tor browser Microsoft Google Yandex |
Finally, the ransomware renames the encrypted files with the extension “.Cylance”, then replaces them with the original file using the MoveFileExW() API function, as shown below.
The below figure shows the files encrypted by Cylance ransomware after the successful infection of a victim’s machine.
Additionally, the ransomware executes a WMI query with the following command line to identify and deletes the shadow copy via “Win32_ShadowCopy.ID”:
- SELECT * FROM Win32_ShadowCopy where Win32_ShadowCopy.ID=’%s'”
When Threat Actors (TAs) delete shadow copies, it becomes difficult for the victims to restore their files through this method. As a result, the victims are more likely to pay the ransom demands to regain access to their files.
Upon completion of the infection process, the ransomware displays statistics detailing the operation. This includes the number of files that were encrypted, the number of files sent for encryption, the number of files processed during encryption, and the total amount of encrypted data.
The figure below illustrates the encryption details displayed by the ransomware after infection.
Cylance Ransomware: Linux
The file is a 64-bit AMD64-based ELF executable file with sha256 as d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c. The figure below shows the static file details.
The TAs manually execute the Linux version of Cylance on the compromised system, providing the targeted folder as an argument. The Linux executable then proceeds to encrypt the files in the targeted folder and its subfolders while dropping a ransom note in each affected directory. The figure below shows the code responsible for dropping ransom notes in the system.
The ransomware uses ChaCha Stream Cipher for encryption, which is a variant of the Salsa20 encryption algorithm. After encryption, the ransomware appends “.Cylance” extension to the encrypted filename. The figure below shows the Encryption loop and extension of the Cylance ransomware.
While encrypting files, the ransomware lists the filenames that have been processed for the encryption process, along with a detailed summary of the encryption statistics. This includes information such as the number of files that were successfully encrypted, the number of files that were not encrypted, the number of files that were skipped, as well as the total count and size of the encrypted data.
The figure below shows the encryption details after file encryption.
The ransom note left by the malware contains instructions for the victims to contact the TAs via email, specifying their Unique Victim ID, in order to initiate the process of recovering their encrypted files.
The figure below shows the encrypted files and ransom note.
Conclusion
From the primitive ransom note and the absence of a data leak website or support page, it can be inferred that the ransomware group is in its early stages. It’s worth noting that there is a growing trend of ransomware attacks targeting both Linux and Windows operating systems.
As organizations implement measures to protect themselves against ransomware attacks, there is a corresponding increase in the number of new ransomware groups emerging. These groups continuously evolve their tactics and expand their operations to maximize their financial gains.
Cyble Research and Intelligence Labs constantly track new ransomware campaigns to ensure our readers are informed about the most recent discoveries.
Our Recommendations
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1133 T1566 T1091 | External Remote Services Phishing Replication Through Removable Media |
| Execution | T1059 T1204 T1047 | Command and Scripting Interpreter User Execution Windows Management Instrumentation |
| Persistence | T1053 | Scheduled Task/Job |
| Privilege Escalation | T1134 | Access Token Manipulation |
| Defense Evasion | T1564 T1027 | Hidden Window Obfuscated Files or Information |
| Discovery | T1082 T1135 T1083 | System Information Discovery Network Share Discovery File and Directory Discovery |
| Impact | T1486 | Data encrypted for impact |
Indicators of Compromise (IoCs)
| Indicators | Indicator Type | Description |
| 521666a43aeb19e91e7df9a3f9fe76ba 663081e2767df7083f765a3a8a994982959d4cbe ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd | MD5 SHA1 SHA256 | Windows Cylance Ransomware executable |
| 4601076b807ed013844ac7e8a394eb33 933ad0a7d9db57b92144840d838f7b10356c7e51 d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c | MD5 SHA1 SHA256 | Linux Cylance Ransomware executable |
