P4nD3m1CB0Y0xD

P4nD3m1CB0Y0xD

Just a nerd that loves to learn about malware

CrossLock a new ransomware in the market

2 minute read

CrossLock Ransomware by NightCafe.Studio

Introduction

CrossLock is a new variant of the ransomware family. Its first appearance was in April 2023, targeting a Brazilian company. It was first shared by S!Ri on Twitter. This new threat is written in Golang, a programming language known for its efficiency and speed. Even though it’s a new variant, its modus operandi are very similar to others ransomwares.

However, even though it has nothing so different from others ransomwares in the market. It’s a real simple piece of code. As mentioned by JohnK3r on Twitter, CrossLock uses a framework called Freeze, that its used for creating payloads to circumventing EDRs.

Tweet from johnk3r

A quick analysis

Just by getting the information that Virustotal inform to us it’s possible to see that its infection chain isn’t different from others ransomwares. Basically, it will use some LOLBins to remove shadow copys, delete windows logs, disable recovery mode, etc… It’s pretty much the same.

An interesting thing of this sample is that it’ll try to impersonate the notepad.exe file, but this file isn’t signed by Microsoft.

CrossLock trying to impersonate a legitimate file

Looking at its strings, they aren’t obfuscated. So, after collecting some basic information about the binary. We start to see its behavior in the lab environment.

Injection Chain

As we can see on the image above, those are some of the LOLBins used by the CrossLock ransomware in its infection chain.

CrossLock video

So basically CrossLock will create a suspended process using notepad as its target. And just to be clear, those are the default options from the Freeze framework.

Ransom note

Parameters

As we can see in the image below, those are all the arguments that can be pass to the CrossLock to gain administrator privileges abuse de UAC by abusing eventvwr.exe binary and encrypt others hosts in the infrastructure using SMB protocol.

Parameters used by CrossLock

Conclusion

As this is a new ransomware variant, we need to keep up with its development in it next attacks. Perform a hunting in your environment is a good idea to find some indicators

Conclusion

As this is a new ransomware variant, we need to keep up with its development in it next attacks. Perform a hunting in your environment is a good idea to find some indicators

TTPs

IoC & IoA

  • SHA256: 495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72
  • Build ID: TR_mEgwgRBRKBzLqwtCy/CrTSwLAFXgP-LonyC_5w/HFmcLGBkNJTMEENx_Huw/jmKxq_pGZOM9ijCEss6Y
  • Ransom Note: — CrossLock_readme_To_Decrypt — .txt
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • bcdedit /set {default} recoveryenabled No
  • cmd.exe /c “bcdedit /set {default} bootstatuspolicy ignoreallfailures”
  • cmd.exe /c “bcdedit /set {default} recoveryenabled No”
  • cmd.exe /c “vssadmin delete shadows /all /quiet”
  • cmd.exe /c “wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest”
  • cmd.exe /c “wbadmin DELETE SYSTEMSTATEBACKUP”
  • cmd.exe /c “wbadmin delete catalog -quiet”
  • cmd.exe /c “wevtutil cl application”
  • cmd.exe /c “wevtutil cl security”
  • cmd.exe /c “wevtutil cl system”
  • vssadmin delete shadows /all /quiet
  • wbadmin DELETE SYSTEMSTATEBACKUP
  • wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  • wbadmin delete catalog -quiet
  • wevtutil cl application
  • wevtutil cl security
  • wevtutil cl system
  • eventvwr.exe
  • HKCU\Software\Classes\mscfile\shell\open\command
  • .crlk

You may also enjoy