Crystal Rans0m: Hybrid ransomware with stealer capabilities
Oct. 21, 2024, 11:24 a.m.
Tags
External References
Description
Crystal Rans0m is a newly discovered hybrid ransomware family developed in Rust, first observed in September 2023. It combines file encryption with data stealing capabilities, doubling its leverage over victims. The malware targets browser data, Discord tokens, Steam files, and Riot Games data. It uses Discord webhooks for exfiltration and Salsa20 for file encryption. The ransom note demands payment in Monero and provides a Session ID for communication. Crystal Rans0m employs anti-VM and anti-debugging techniques. Recent samples suggest it may be modular, allowing attackers to choose specific components. While initially seen targeting Italy and Russia, its motivation appears to be financial gain without specific geographic or industry focus.
Date
Published: Oct. 21, 2024, 11:04 a.m.
Created: Oct. 21, 2024, 11:04 a.m.
Modified: Oct. 21, 2024, 11:24 a.m.
Indicators
bed70b08cf8b00b4e6b04acd348b5e0343d207f3083e1c58261679706bd10318
b027fe1e1e97d980de593cfd265d004b310c7655d3ee27ea3f10beaf70285e22
693fb42336167d5432a807fcb9afcac7002113fc37b05a2d3aa61c1356256c52
4970bd280da663f483f927f3a6c47833ebcbfe2b640ee66a309b41c7ed084375
15219aa22db99f064c47c224a205cdd3ed438dabd2d2593242ed2882e6458311
Attack Patterns
Crystal Rans0m
T1555.003
T1547.001
T1497
T1082
T1055
T1140
T1059
Additional Informations
South Georgia and the South Sandwich Islands
Georgia
Sweden
Lithuania
China
Argentina
Italy
Peru
Philippines
United Kingdom of Great Britain and Northern Ireland
Ukraine
Brazil
United States of America
Russian Federation