Crystal Rans0m: Hybrid ransomware with stealer capabilities

Oct. 21, 2024, 11:24 a.m.

Description

Crystal Rans0m is a newly discovered hybrid ransomware family developed in Rust, first observed in September 2023. It combines file encryption with data stealing capabilities, doubling its leverage over victims. The malware targets browser data, Discord tokens, Steam files, and Riot Games data. It uses Discord webhooks for exfiltration and Salsa20 for file encryption. The ransom note demands payment in Monero and provides a Session ID for communication. Crystal Rans0m employs anti-VM and anti-debugging techniques. Recent samples suggest it may be modular, allowing attackers to choose specific components. While initially seen targeting Italy and Russia, its motivation appears to be financial gain without specific geographic or industry focus.

External References

https://outpost24.com/blog/crystal-ransom-hybrid-ransomware/
https://otx.alienvault.com/pulse/6716353404aa4208a1942d28
Tags
stealer
rust
discord
2024-10-21
anti-vm
monero
hybrid ransomware
crystal rans0m
session

Date

  • Created: Oct. 21, 2024, 11:04 a.m.
  • Published: Oct. 21, 2024, 11:04 a.m.
  • Modified: Oct. 21, 2024, 11:24 a.m.

Indicators

  • bed70b08cf8b00b4e6b04acd348b5e0343d207f3083e1c58261679706bd10318
  • b027fe1e1e97d980de593cfd265d004b310c7655d3ee27ea3f10beaf70285e22
  • 693fb42336167d5432a807fcb9afcac7002113fc37b05a2d3aa61c1356256c52
  • 4970bd280da663f483f927f3a6c47833ebcbfe2b640ee66a309b41c7ed084375
  • 15219aa22db99f064c47c224a205cdd3ed438dabd2d2593242ed2882e6458311
Download all indicators here!

Attack Patterns

  • Crystal Rans0m

Additional Informations

  • South Georgia and the South Sandwich Islands
  • Georgia
  • Sweden
  • Lithuania
  • China
  • Argentina
  • Italy
  • Peru
  • Philippines
  • United Kingdom of Great Britain and Northern Ireland
  • Ukraine
  • Brazil
  • United States of America
  • Russian Federation