Security researchers at Cyble recently discovered a new ransomware variant with some concerning capabilities. Called “Cylance”, this ransomware has a number of advanced features that allow attackers to customize attacks.
The ransomware has many command-line options that allow attackers to specify things like file extensions to target, network shares to attack, processes to kill, etc. This allows for very customized ransomware attacks targeting specific files, locations, and systems.
Other notable features of the Cylance ransomware include:
AES encryption: The ransomware uses strong AES encryption to lock up files. It encrypts files with the .cylance extension.
Deletion of volume shadow copies: Cylance is capable of deleting Windows shadow copies to prevent recovery of files. It uses the vssadmin command to delete any protected snapshots of the files.
Capable of network attack: spreads across networks to infect any connected systems and encrypt files on those systems as well. It scans for open SMB connections to identify any network shares.
Kills processes: Before encrypting files, the ransomware kills a number of processes related to antivirus software, backup tools, and database management systems. This includes processes like sqlservr.exe, mysqld.exe, and vssvc.exe.
This new Cylance ransomware variant shows how ransomware continues to evolve and become more advanced and dangerous.
Indicators of compromise
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1133 T1566 T1091||External Remote ServicesPhishingReplication Through Removable Media|
|Execution||T1059 T1204T1047||Command and Scripting InterpreterUser ExecutionWindows Management Instrumentation|
|Privilege Escalation||T1134||Access Token Manipulation|
|Defense Evasion||T1564 T1027||Hidden WindowObfuscated Files or Information|
|Discovery||T1082 T1135 T1083||System Information Discovery Network Share DiscoveryFile and Directory Discovery|
|Impact||T1486||Data encrypted for impact|