Dual Threat Crystal Rans0m Combines Ransomware and Infostealing Capabilities
Threat Group: Unattributed
Threat Type: Hybrid ransomware with stealer capabilities
Exploited Vulnerabilities: Outdated software, phishing, P2P downloads
Malware Used: Crystal Rans0m (Rust-based)
Threat Score: High (8.5/10) — Due to the combination of file encryption, information theft, modular structure, and anti-VM techniques.
Last Threat Observation: October 21, 2024
Overview
Crystal Rans0m, first identified in September 2023, is a sophisticated hybrid ransomware strain developed in Rust. It not only encrypts files using the Salsa20 encryption algorithm but also steals sensitive data such as browser credentials, Discord tokens, and game-related files from Steam and Riot Games. The ransomware is delivered through phishing emails, malicious downloads, and outdated software vulnerabilities. Crystal Rans0m employs anti-virtualization and anti-debugging techniques, making detection and analysis difficult.
Recent findings suggest it is modular, allowing attackers to customize payloads based on the intended target. While it initially focused on victims in Italy and Russia, its targets have expanded globally, affecting countries such as the United States, UK, China, and Argentina.
Key Details
- Delivery Method: Phishing emails, malicious downloads, and vulnerable software.
- Target: Individuals and businesses across various sectors, with a focus on browser and gaming data.
- Functions:
- Encrypts files with Salsa20, rendering them inaccessible.
- Steals credentials from browsers, including Chrome, Edge, and Brave.
- Extracts Discord user tokens.
- Targets gaming platforms, stealing Steam and Riot Games data.
- Uses Discord webhooks to exfiltrate stolen information.
- Obfuscation: Anti-VM, anti-debugging, and uses Rust libraries to evade detection.
Attack Vectors
Crystal Rans0m primarily spreads through:
- Phishing Emails: Victims receive emails with malicious attachments or links that download the ransomware.
- Pirated Software: Users who download cracked software or key generators are at risk.
- Software Vulnerabilities: Exploits vulnerabilities in outdated systems or software, allowing unauthorized access and execution of the ransomware.
Once the ransomware is executed, it encrypts critical files and exfiltrates sensitive information to the attackers' servers via Discord webhooks. Victims are presented with a ransom demand in Monero, which includes a Session ID for further communication.
Known Indicators of Compromise (IoCs)
- File Hashes (SHA256):
- 15219aa22db99f064c47c224a205cdd3ed438dabd2d2593242ed2882e6458311
- 4970bd280da663f483f927f3a6c47833ebcbfe2b640ee66a309b41c7ed084375
- 693fb42336167d5432a807fcb9afcac7002113fc37b05a2d3aa61c1356256c52
- b027fe1e1e97d980de593cfd265d004b310c7655d3ee27ea3f10beaf70285e22
- bed70b08cf8b00b4e6b04acd348b5e0343d207f3083e1c58261679706bd10318
- URLs: Exfiltration through Discord webhooks.
Mitigation and Prevention
- User Awareness: Conduct phishing awareness training to help users identify suspicious emails and links.
- Email Filtering: Deploy strong email filtering solutions to block malicious attachments and links.
- Antivirus Protection: Ensure antivirus solutions are updated and capable of detecting Rust-based malware.
- Two-Factor Authentication (2FA): Enable 2FA on critical accounts, especially for email and web browsers.
- Monitor Logs: Regularly audit logs for signs of suspicious activity or unauthorized data access.
- Regular Updates: Keep software and operating systems updated to patch known vulnerabilities.
Conclusion
Crystal Rans0m is a sophisticated ransomware variant that combines encryption with data theft, making it a potent threat to both individuals and organizations. With its use of modular components and advanced evasion techniques, it is challenging to detect and mitigate. Organizations should prioritize preventative measures such as regular backups, endpoint detection, and user education to defend against such threats.