This technical research analyzes Cronus Ransomware. We examine how the ransomware encrypts files, establishes persistence, and deviates from other ransom notes.
Cronus is a .NET based ransomware strain that was first reported on by Seqrite. Threat researchers discovered the ransomware variant after discovering a malicious document that was submitted to VirusTotal. This blog outlines how the ransomware encrypts files and establishes persistence, as well as analyzes the Cronus ransomware note.
Intrusion Chain
The intrusion chain starts off with a malicious doc that masquerades as an invoice from PayPal. Once the user interacts with the lure and runs the macros, a PowerShell script is downloaded and executed. The PowerShell script loads the Cronus ransomware DLL and executes it.
All the samples involved in the intrusion chain outlined above are present on VirusTotal. Links to each are provided below.
Sample Analysis
File Details
The file analyzed as part of this blog can be found on VirusTotal. The following table shows information about the sample, including hash values.
When the program is executed it first copies itself to C:\Users\<USERNAME>\AppData\Local. This is done by the function COPY_FILE which reads the name of the application, and checks if the file already exists in the AppData\Local folder. If it exists, it deletes that copy and sleeps. Sleep is called to ensure that the file deletes that version of the ransomware. Once the file has been deleted, it writes a copy of the file to the folder and starts the process.
Once the ransomware has been copied into AppData\Local it iterates through all available drives on the device. During this stage the ransomware is discovering what folders are accessible on the device. This is the precursor to encryption. The malware also contains several exclusions for folders that the malware does not target.
These exclusions are:
windows.old
windows.old.old
amd
nvidia
programfiles
programfiles(x86)
windows
$recycle.bin
documents and settings
intel
perflogs
programdata
boot
games
msocache
Once the folder has been identified, the program gets a list of files within that directory and checks it against a hardcoded list of excluded file names. Figure 7 below shows the list of hardcoded files that are not encrypted by the ransomware.
The table below shows the extensions that the ransomware encrypts.
.myd
.ndf
.qry
.sdb
.sdf
.tmd
.tgz
.lzo
.txt
.jar
.dat
.contact
.settings
.doc
.docx
.xls
.xlsx
.ppt
.pptx
.odt
.jpg
.mka
.mhtml
.oqy
.png
.csv
.py
.sql
.indd
.cs
.mp3
.mp4
.dwg
.zip
.rar
.mov
.rtf
.bmp
.mkv
.avi
.apk
.lnk
.dib
.dic
.dif
.mdb
.php
.asp
.aspx
.html
.htm
.xml
.psd
.pdf
.xla
.cub
.dae
.divx
.iso
.7zip
.pdb
.ico
.pas
.db
.wmv
.swf
.cer
.bak
.backup
.accdb
.bay
.p7c
.exif
.vss
.raw
.m4a
.wma
.ace
.arj
.bz2
.cab
.gzip
.lzh
.tar
.jpeg
.xz
.mpeg
.torrent
.mpg
.core
.flv
.sie
.sum
.ibank
.wallet
.css
.js
.rb
.crt
.xlsm
.xlsb
.7z
.cpp
.java
.jpe
.ini
.blob
.wps
.docm
.wav
.3gp
.gif
.log
.gz
.config
.vb
.m1v
.sln
.pst
.obj
.xlam
.djvu
.inc
.cvs
.dbf
.tbi
.wpd
.dot
.dotx
.webm
.m4v
.amv
.m4p
.svg
.ods
.bk
.vdi
.vmdk
.onepkg
.accde
.jsp
.json
.xltx
.vsdx
.uxdc
.udl
.3ds
.3fr
.3g2
.accda
.accdc
.accdw
.adp
.ai
.ai3
.ai4
.ai5
.ai6
.ai7
.ai8
.arw
.ascx
.asm
.asmx
.avs
.bin
.cfm
.dbx
.dcm
.dcr
.pict
.rgbe
.dwt
.f4v
.exr
.kwm
.max
.mda
.mde
.mdf
.mdw
.mht
.mpv
.msg
.myi
.nef
.odc
.geo
.swift
.odm
.odp
.oft
.orf
.pfx
.p12
.pl
.pls
.safe
.tab
.vbs
.xlk
.xlm
.xlt
.xltm
.svgz
.slk
.tar.gz
.dmg
.ps
.psb
.tif
.rss
.key
.vob
.epsp
.dc3
.iff
.opt
.onetoc2
.nrw
.pptm
.potx
.potm
.pot
.xlw
.xps
.xsd
.xsf
.xsl
.kmz
.accdr
.stm
.accdt
.ppam
.pps
.ppsm
.1cd
.p7b
.wdb
.sqlite
.sqlite3
.dacpac
.zipx
.lzma
.z
.tar.xz
.pam
.r3d
.ova
.1c
.dt
.c
.vmx
.xhtml
.ckp
.db3
.dbc
.dbs
.dbt
.dbv
.frm
.mwb
.mrg
.txz
.mrg
.vbox
.wmf
.wim
.xtp2
.xsn
.xslt
Once the ransomware identifies a file that has a targeted extension, it checks file attributes to convert read only files to editable files. From there based on the file size, it either encrypts the file by calling FULL_ENCRYPT or TRIPLE_ENCRYPT. Both these functions use the code in the ENCRYPT_DATA function (show in Figure 11) to encrypt files.
For Files < 512 KB
Files less than 512 KB are encrypted using the FULL_ENCRYPT function. This function encrypts data using the AES encryption algothing in Cipher Block Chaining mode. In CBC the input (in this the file) is divided into blocks. The first block is XORed with the initialization vector (IV), a randomly generated set of data, and then encrypted. This encrypted output is then XORed with the next block of plaintext before being encrypted. This process is repeated until the entire file is encrypted.
For Files > 512 KB
Files greater than 512 KB are using the same encryption process as shown in Figure 11. The only difference is that the encryption process is called three times on different parts of the file. The program is split into three unique sections and each part is encrypted using the ENCRYPT_DATA function.
Terminate Applications
Cronus binary searches for specific executes by looking for them in the device’s process list. If the application is running, the ransomware binary terminates it before calling the encryption process again.
The full list of applications that the binary attempts to kill are shown below.
sqlwriter
sqbcoreservice
VirtualBoxVM
sqlagent
sqlbrowser
sqlservr
code
steam
zoolz
agntsvc
firefoxconfig
infopath
synctime
VBoxSVC
tbirdconfig
thebat
thebat64
isqlplussvc
mydesktopservice
mysqld
ocssd
onenote
mspub
mydesktopqos
CNTAoSMgr
Ntrtscan
vmplayer
oracle
outlook
powerpnt
wps
xfssvccon
ProcessHacker
dbeng50
dbsnmp
encsvc
excel
tmlisten
PccNTMon
mysqld-nt
mysqld-opt
ocautoupds
ocomm
msaccess
msftesql
thunderbird
visio
winword
wordpad
mbamtray
Establishing Persistence (T1547.001)
The malware establishes persistence through a registry modification. Upon execution, the malware adds a registry value to the key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
By adding a registry entry here and specifying the path of the malware as the value, it ensures that whenever the user that was logged in accesses the machine again the malware will run, therefore, encrypting data again.
When Cronus encrypts files, it appends a random 5 character alphanumeric file extension to each encrypted file. This differs from some other ransomware variants which use the same file extension for all encrypted files. The table shows examples of the ransom file extensions added to files when the sample was run in a sandbox.
Pre-encryption File Name
Post-encryption File Name
18646010387.zip
18646010387.zip.9kTg6
howplay.jpg
howplay.jpg.XGkYO
jstarted.rtf
jstarted.rtf.FJ1Ld
offfirst.jpg
offfirst.jpg
oralown.png
oralown.png.Wyxso
Ransom Note Analysis
The ransomware drops a ransom note to the file cronus.txt. While the note contains claims of data exfiltration, it differs from the notes dropped by other ransomware families by:
Threatening bodily harm in the case of non-payment
Not providing proof of exfiltration
While prominent ransomware families provide links to websites where victims can view a subset of the information taken, Cronus only listed an email. The ransom note states that a decryption tool will be provided once the user sends US$500 in Bitcoin to a wallet and shared confirmation in the form of a transaction id to an email.
The complete ransom note is shown below along with a note from Akira to highlight key differences.
Warning, your files are encrypted by Cronus.
This is not a threat, this is a fact:
1. Your files have been encrypted with AES CBC 256 / RSA 2048 algorithm.
2. We have obtained extensive data, including passwords, e-mails and more.
3. We will shoot you and your extended family, pets and friends to death.
4. However, calm down, because you have a month to act on our desires.
How do I get spared:
1. Collect $500 in Bitcoin, an untraced anonymous cryptocurrency.
2. Send the specified amount to: 1Kzf8kAxamgvjwShYT6dZKSyCAgbSmh5fT
3. Send the transaction ID to our e-mail: redroomowner@dnmx[.]org
4. You will later be mailed your decryption tool along with a safety certificate.
WARNING:
If you do not pay, you will be put into a darkweb livestream with spectators.
Users can pay to torture you in any way, provided that they pay enough.
Our users CAN and WILL cut your fingers off and kill your pets in front of you!
Hi friends,
Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.
Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know:
1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal.
2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help.
3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data.
4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - hxxps[://]akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion.
5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us.
If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:
1. Install TOR Browser to get access to our chat room - hxxps[://]www[.]torproject[.]org/download/.
2. Paste this link - hxxps[://]akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id[.]onion.
3. Use this code - [snip] - to log into our chat.
Keep in mind that the faster you will get in touch, the less damage we cause.
💡
Threatlabz from zScaler has a GitHub repository of ransom notes from different ransomware families.
💡
ID Ransomware is a great tool to identify the ransomware based on the ransom note, encrypted file or contact information provided in the ransom note.
Bitcoin Wallet Analysis
The ransom note specifies that payment be made to specific BitCoin. As of October 4th, 2024, 09:00 EST, this wallet contained no bitcoins, and several tools that track cryptocurrency transactions have no associated activity for that address. It is unclear why the wallet has no transactions, it could be due the fact the victims refused to pay ransoms or that the ransomware deployments were unsuccessful when using that particular wallet.
Conclusion
Apart from reporting by Seqrite, there is no public information about this malware variant. This may indicate limited usage of the ransomware globally. Based on the ransom demands, it appears as if the developers behind the malware are hoping people will pay the low demand to avoid the disruption.
Recommendations
User Education remains a great way of preventing abuse from malicious documents.
While Microsoft has moved to disable VBA macros in files from the Internet by default, users can enable them manually.
Informing users of the risks of interacting with files that have been shared by unknown senders is a great way of preventing malware infections.
Incident Response Plans and Preparedness is also essential in helping organizations act quickly and effectively during an incident.
As ransomware remains a major threat to organizations across the world, having an incident response plan is crucial to effectively detect, contain, and mitigate security breaches when they do occur.
This plan should outline which parties should be involved in the response, what actions should be taken and at which point should additional stakeholders be involved.
In addition to having an incident response plan, organizations should go through incident response tabletop exercises (TTX) to ensure stakeholders are familiar with the plan and their role during an incident.
💡
CISA has released Tabletop Exercise Packages for different cyber threats, including ransomware, insider threats, phishing, and Industrial Control System compromise.
💡
Backdoors & Breaches is an Incident Response Card game from Black Hills Information Security that can be used to conduct incident response tabletop exercises.