Cronus: Ransomware Threatening Bodily Harm

This technical research analyzes Cronus Ransomware. We examine how the ransomware encrypts files, establishes persistence, and deviates from other ransom notes.

Cronus: Ransomware Threatening Bodily Harm

Cronus is a .NET based ransomware strain that was first reported on by Seqrite. Threat researchers discovered the ransomware variant after discovering a malicious document that was submitted to VirusTotal. This blog outlines how the ransomware encrypts files and establishes persistence, as well as analyzes the Cronus ransomware note. 

Intrusion Chain

The intrusion chain starts off with a malicious doc that masquerades as an invoice from PayPal. Once the user interacts with the lure and runs the macros, a PowerShell script is downloaded and executed. The PowerShell script loads the Cronus ransomware DLL and executes it. 

Figure 1: Intrusion chain associated with Cronus ransomware.

All the samples involved in the intrusion chain outlined above are present on VirusTotal. Links to each are provided below.

Malicious Document
VirusTotal Sample
Eternal[.]lol (URL that hosts PowerShell Script)
VirusTotal Sample
PowerShell Script
VirusTotal Sample
Cronus Ransomware Sample
VirusTotal Sample
Cronus Ransom Note
VirusTotal Sample
Figure 2: Malicious Document used within the intrusion.

Sample Analysis

Figure 3: Steps taken by the ransomware during execution.

File Details

The file analyzed as part of this blog can be found on VirusTotal. The following table shows information about the sample, including hash values.

SHA256

42551531be1c5abfdd24a3465788c659a038141de61976787b0862664df95aad

SHA1

2db3193aea4ea2a6e1af92b752faebc9bfb44542

MD5

183897de27e49ad630efa9caf303e6f1

ssdeep

384:IlhPJHvyIGEZCbm5oBmlRIXSh2ajjfwBclELZhAckgwYkZIBMbEvrb:EhPJHvyLEZam5oCMCgwxcb

File Siz

25.00 kB

File Type

Win32 EXE

.NET Executable

Figure 4: VirusTotal results for the Cronus DLL.
Figure 5: Main method of Cronus.

When the program is executed it first copies itself to C:\Users\<USERNAME>\AppData\Local. This is done by the function COPY_FILE which reads the name of the application, and checks if the file already exists in the AppData\Local folder. If it exists, it deletes that copy and sleeps. Sleep is called to ensure that the file deletes that version of the ransomware. Once the file has been deleted, it writes a copy of the file to the folder and starts the process.

Figure 6: COPY_FILE method that writes the ransomware DLL to AppData\Local.

Once the ransomware has been copied into AppData\Local it iterates through all available drives on the device. During this stage the ransomware is discovering what folders are accessible on the device. This is the precursor to encryption. The malware also contains several exclusions for folders that the malware does not target.

These exclusions are:

  • windows.old
  • windows.old.old
  • amd
  • nvidia
  • programfiles
  • programfiles(x86)
  • windows
  • $recycle.bin
  • documents and settings
  • intel
  • perflogs
  • programdata
  • boot
  • games
  • msocache

Once the folder has been identified, the program gets a list of files within that directory and checks it against a hardcoded list of excluded file names. Figure 7 below shows the list of hardcoded files that are not encrypted by the ransomware.

Figure 7: List of files excluded from encryption by the ransomware.

The table below shows the extensions that the ransomware encrypts.

.myd

.ndf

.qry

.sdb

.sdf

.tmd

.tgz

.lzo

.txt

.jar

.dat

.contact

.settings

.doc

.docx

.xls

.xlsx

.ppt

.pptx

.odt

.jpg

.mka

.mhtml

.oqy

.png

.csv

.py

.sql

.indd

.cs

.mp3

.mp4

.dwg

.zip

.rar

.mov

.rtf

.bmp

.mkv

.avi

.apk

.lnk

.dib

.dic

.dif

.mdb

.php

.asp

.aspx

.html

.htm

.xml

.psd

.pdf

.xla

.cub

.dae

.divx

.iso

.7zip

.pdb

.ico

.pas

.db

.wmv

.swf

.cer

.bak

.backup

.accdb

.bay

.p7c

.exif

.vss

.raw

.m4a

.wma

.ace

.arj

.bz2

.cab

.gzip

.lzh

.tar

.jpeg

.xz

.mpeg

.torrent

.mpg

.core

.flv

.sie

.sum

.ibank

.wallet

.css

.js

.rb

.crt

.xlsm

.xlsb

.7z

.cpp

.java

.jpe

.ini

.blob

.wps

.docm

.wav

.3gp

.gif

.log

.gz

.config

.vb

.m1v

.sln

.pst

.obj

.xlam

.djvu

.inc

.cvs

.dbf

.tbi

.wpd

.dot

.dotx

.webm

.m4v

.amv

.m4p

.svg

.ods

.bk

.vdi

.vmdk

.onepkg

.accde

.jsp

.json

.xltx

.vsdx

.uxdc

.udl

.3ds

.3fr

.3g2

.accda

.accdc

.accdw

.adp

.ai

.ai3

.ai4

.ai5

.ai6

.ai7

.ai8

.arw

.ascx

.asm

.asmx

.avs

.bin

.cfm

.dbx

.dcm

.dcr

.pict

.rgbe

.dwt

.f4v

.exr

.kwm

.max

.mda

.mde

.mdf

.mdw

.mht

.mpv

.msg

.myi

.nef

.odc

.geo

.swift

.odm

.odp

.oft

.orf

.pfx

.p12

.pl

.pls

.safe

.tab

.vbs

.xlk

.xlm

.xlt

.xltm

.svgz

.slk

.tar.gz

.dmg

.ps

.psb

.tif

.rss

.key

.vob

.epsp

.dc3

.iff

.opt

.onetoc2

.nrw

.pptm

.potx

.potm

.pot

.xlw

.xps

.xsd

.xsf

.xsl

.kmz

.accdr

.stm

.accdt

.ppam

.pps

.ppsm

.1cd

.p7b

.wdb

.sqlite

.sqlite3

.dacpac

.zipx

.lzma

.z

.tar.xz

.pam

.r3d

.ova

.1c

.dt

.c

.vmx

.xhtml

.ckp

.db3

.dbc

.dbs

.dbt

.dbv

.frm

.mwb

.mrg

.txz

.mrg

.vbox

.wmf

.wim

.xtp2

.xsn

.xslt

 

Once the ransomware identifies a file that has a targeted extension, it checks file attributes to convert read only files to editable files. From there based on the file size, it either encrypts the file by calling FULL_ENCRYPT or TRIPLE_ENCRYPT. Both these functions use the code in the ENCRYPT_DATA function (show in Figure 11) to encrypt files.

Figure 8: Code showing how the file iterates through folders and encrypts files based on file size.
For Files < 512 KB

Files less than 512 KB are encrypted using the FULL_ENCRYPT function. This function encrypts data using the AES encryption algothing in Cipher Block Chaining mode. In CBC the input (in this the file) is divided into blocks. The first block is XORed with the initialization vector (IV), a randomly generated set of data, and then encrypted. This encrypted output is then XORed with the next block of plaintext before being encrypted. This process is repeated until the entire file is encrypted. 

Figure 9: Diagram showing how AES encryption using CBC works. Source: HighGo
Figure 10: The FULL_ENCRYPT function that uses AES 256 encryption to encrypt files less than 512KB.
Figure 11: Encryption Code.
For Files > 512 KB

Files greater than 512 KB are using the same encryption process as shown in Figure 11. The only difference is that the encryption process is called three times on different parts of the file. The program is split into three unique sections and each part is encrypted using the ENCRYPT_DATA function.

Figure 12: Cronus encrypts larger files (> 512KB) by encrypting different sections of the file.

Terminate Applications 

Cronus binary searches for specific executes by looking for them in the device’s process list. If the application is running, the ransomware binary terminates it before calling the encryption process again.

The full list of applications that the binary attempts to kill are shown below.

sqlwriter

sqbcoreservice

VirtualBoxVM

sqlagent

sqlbrowser

sqlservr

code

steam

zoolz

agntsvc

firefoxconfig

infopath

synctime

VBoxSVC

tbirdconfig

thebat

thebat64

isqlplussvc

mydesktopservice

mysqld

ocssd

onenote

mspub

mydesktopqos

CNTAoSMgr

Ntrtscan

vmplayer

oracle

outlook

powerpnt

wps

xfssvccon

ProcessHacker

dbeng50

dbsnmp

encsvc

excel

tmlisten

PccNTMon

mysqld-nt

mysqld-opt

ocautoupds

ocomm

msaccess

msftesql

thunderbird

visio

winword

wordpad

mbamtray

 

 

Establishing Persistence (T1547.001)

The malware establishes persistence through a registry modification. Upon execution, the malware adds a registry value to the key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Figure 13: Screenshot showing the newly created registry value in the Run key.

By adding a registry entry here and specifying the path of the malware as the value, it ensures that whenever the user that was logged in accesses the machine again the malware will run, therefore, encrypting data again. 

Figure 14: Code used to added the registry value to the Run key.

When Cronus encrypts files, it appends a random 5 character alphanumeric file extension to each encrypted file. This differs from some other ransomware variants which use the same file extension for all encrypted files. The table shows examples of the ransom file extensions added to files when the sample was run in a sandbox.

Pre-encryption File Name

Post-encryption File Name

18646010387.zip

18646010387.zip.9kTg6

howplay.jpg

howplay.jpg.XGkYO

jstarted.rtf

jstarted.rtf.FJ1Ld

offfirst.jpg

offfirst.jpg

oralown.png

oralown.png.Wyxso

Ransom Note Analysis

The ransomware drops a ransom note to the file cronus.txt. While the note contains claims of data exfiltration, it differs from the notes dropped by other ransomware families by:

  • Threatening bodily harm in the case of non-payment
  • Not providing proof of exfiltration

While prominent ransomware families provide links to websites where victims can view a subset of the information taken, Cronus only listed an email. The ransom note states that a decryption tool will be provided once the user sends US$500 in Bitcoin to a wallet and shared confirmation in the form of a transaction id to an email.

The complete ransom note is shown below along with a note from Akira to highlight key differences.

Warning, your files are encrypted by Cronus.




This is not a threat, this is a fact:




1. Your files have been encrypted with AES CBC 256 / RSA 2048 algorithm.


2. We have obtained extensive data, including passwords, e-mails and more.


3. We will shoot you and your extended family, pets and friends to death.


4. However, calm down, because you have a month to act on our desires.




How do I get spared:




1. Collect $500 in Bitcoin, an untraced anonymous cryptocurrency.


2. Send the specified amount to: 1Kzf8kAxamgvjwShYT6dZKSyCAgbSmh5fT


3. Send the transaction ID to our e-mail: redroomowner@dnmx[.]org


4. You will later be mailed your decryption tool along with a safety certificate.




WARNING:


If you do not pay, you will be put into a darkweb livestream with spectators.


Users can pay to torture you in any way, provided that they pay enough.


Our users CAN and WILL cut your fingers off and kill your pets in front of you!

Hi friends,




Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.




Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know:




1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal.


2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help.


3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data.


4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - hxxps[://]akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion.


5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us.




If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:




1. Install TOR Browser to get access to our chat room - hxxps[://]www[.]torproject[.]org/download/.


2. Paste this link - hxxps[://]akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id[.]onion.


3. Use this code - [snip] - to log into our chat.




Keep in mind that the faster you will get in touch, the less damage we cause.


💡
Threatlabz from zScaler has a GitHub repository of ransom notes from different ransomware families.
💡
ID Ransomware is a great tool to identify the ransomware based on the ransom note, encrypted file or contact information provided in the ransom note.

Bitcoin Wallet Analysis

The ransom note specifies that payment be made to specific BitCoin. As of October 4th, 2024, 09:00 EST, this wallet contained no bitcoins, and several tools that track cryptocurrency transactions have no associated activity for that address. It is unclear why the wallet has no transactions, it could be due the fact the victims refused to pay ransoms or that the ransomware deployments were unsuccessful when using that particular wallet.

Figure 15: Screenshots of websites used to lookup the BitCoin wallet specified in the Cronus ransom note. All sources revealed that the wallet has no BitCoin in it and has no associated transactions.

Conclusion

Apart from reporting by Seqrite, there is no public information about this malware variant. This may indicate limited usage of the ransomware globally. Based on the ransom demands, it appears as if the developers behind the malware are hoping people will pay the low demand to avoid the disruption. 

Recommendations

User Education remains a great way of preventing abuse from malicious documents.

  • While Microsoft has moved to disable VBA macros in files from the Internet by default, users can enable them manually.
    • Informing users of the risks of interacting with files that have been shared by unknown senders is a great way of preventing malware infections.

Incident Response Plans and Preparedness is also essential in helping organizations act quickly and effectively during an incident.

  • As ransomware remains a major threat to organizations across the world, having an incident response plan is crucial to effectively detect, contain, and mitigate security breaches when they do occur. 
  • This plan should outline which parties should be involved in the response, what actions should be taken and at which point should additional stakeholders be involved. 
  • In addition to having an incident response plan, organizations should go through incident response tabletop exercises (TTX) to ensure stakeholders are familiar with the plan and their role during an incident.
💡
CISA has released Tabletop Exercise Packages for different cyber threats, including ransomware, insider threats, phishing, and Industrial Control System compromise.
💡
Backdoors & Breaches is an Incident Response Card game from Black Hills Information Security that can be used to conduct incident response tabletop exercises.

Cronus Ransomware MITRE ATT&CK TTPs

Technique

Tactic

Defense Evasion

Process Hollowing

Reflective Code Loading

Discovery

File and Directory Discovery

Process Discovery

Execution

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Visual Basic

User Execution: Malicious File

Impact

Data Encrypted for Impact

Internal Defacement

Transmitted Data Manipulation

Initial Access

Spearphishing Attachment

Persistence

Registry Run Keys/Startup Folder

Privilege Escalation

Process Hollowing

Registry Run Keys/Startup Folder

Reconnaissance

Spearphishing Attachment

Appendix - Public Key

<RSAKeyValue><Modulus>xn1/ig456xx9hGirND5sHmJ7vCoHoTYupcO6o9Q3xohvD5zZCo5V1C6bN6Q7fW0PCGeSZYj5R0ynWxziGKPzxjCKt7qAFP6HIBw47tulSpz0R00X9Mp2ejQU6paiIQJ/y6CqtQalvdz/AU+J8bEx5R49bQwyVQauMtNVo7ASQWiCulUJJqi1FFcop91qbQ0n7X27XT4bQD5a/8fqchw4NQGzOeUz+mjOyjRovZ1WEfyywNj8JQx00E7t7T8EQZ2neYrOrLYDpK5xpWrA55crAgBNJ3+CNR0apfiFTlcAPD7ORIuiJrYJb4kTNVcvd6aV7x04X775Qv0/XMl8quEM4Q==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>

References

https://www.seqrite.com/blog/unmasking-cronus-how-fake-paypal-documents-deliver-fileless-ransomware-via-powershell/

Cronus Ransomware
The difference in five modes in the AES encryption algorithm - Highgo Software Inc.
Recently, I did some work with Sawada-san on the TDE. So I studied on the encryption algorithm. So far, I study five modes in the AES. In this document, I will introduce the difference in the five kinds of mode. General The block ciphers are schemes for encryption or decryption where a block of plaintext