Introduction#
CrossLock is a new variant of the ransomware family. Its first appearance was in April 2023, targeting a Brazilian company. It was first shared by S!Ri on Twitter. This new threat is written in Golang, a programming language known for its efficiency and speed. Even though it’s a new variant, its modus operandi is very similar to other ransomware.
However, even though it has nothing particularly different from other ransomware in the market, it’s a really simple piece of code. As mentioned by JohnK3r on Twitter, CrossLock uses a framework called Freeze, which is used for creating payloads to circumvent EDRs.
A quick analysis#
Just by getting the information provided by VirusTotal, it’s possible to see that its infection chain isn’t different from other ransomware. Basically, it will use some LOLBins to remove shadow copies, delete Windows logs, disable recovery mode, etc. It’s pretty much the same.
An interesting thing about this sample is that it tries to impersonate the notepad.exe file, but this file isn’t signed by Microsoft.
Looking at its strings, they aren’t obfuscated. So, after collecting some basic information about the binary, we start to observe its behavior in the lab environment.
As we can see in the image above, those are some of the LOLBins used by the CrossLock ransomware in its infection chain.
So basically, CrossLock will create a suspended process using Notepad as its target. And just to be clear, those are the default options from the Freeze framework.
Parameters#
As we can see in the image below, these are all the arguments that can be passed to CrossLock to gain administrator privileges, abuse UAC by leveraging the eventvwr.exe binary, and encrypt other hosts in the infrastructure using the SMB protocol.
Conclusion#
As this is a new ransomware variant, we need to keep up with its development in its next attacks. Performing hunting in your environment is a good idea to find some indicators.
TTPs#
| Tactic | Technique | Sub-Technique | |
|---|---|---|---|
| Execution | Command and Scripting Interpreter | Windows Command Shell | |
| Defense Evasion | Process Injection | Process Hollowing | |
| Defense Evasion | Indicator Removal | Clear Windows Event Logs | |
| Privilege Escalation | Abuse Elevation Control Mechanism | Bypass User Account Control | |
| Discovery | System Service Discovery | - | |
| Discovery | Process Discovery | - | |
| Discovery | File and Directory Discovery | - | |
| Lateral Movement | Remote Services | SMB/Windows Admin Shares | |
| Impact | Data Encrypted for Impact | - | |
| Impact | Inhibit System Recovery | - |
IoC & IoA#
SHA256: 495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72
Build ID: TR_mEgwgRBRKBzLqwtCy/CrTSwLAFXgP-LonyC_5w/HFmcLGBkNJTMEENx_Huw/jmKxq_pGZOM9ijCEss6Y
Ransom Note: — CrossLock_readme_To_Decrypt — .txt
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled No
cmd.exe /c “bcdedit /set {default} bootstatuspolicy ignoreallfailures”
cmd.exe /c “bcdedit /set {default} recoveryenabled No”
cmd.exe /c “vssadmin delete shadows /all /quiet”
cmd.exe /c “wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest”
cmd.exe /c “wbadmin DELETE SYSTEMSTATEBACKUP”
cmd.exe /c “wbadmin delete catalog -quiet”
cmd.exe /c “wevtutil cl application”
cmd.exe /c “wevtutil cl security”
cmd.exe /c “wevtutil cl system”
vssadmin delete shadows /all /quiet
wbadmin DELETE SYSTEMSTATEBACKUP
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
wbadmin delete catalog -quiet
wevtutil cl application
wevtutil cl security
wevtutil cl system
eventvwr.exe
HKCU\Software\Classes\mscfile\shell\open\command
.crlk