CrossLock is a Go-based ransomware group that emerged in April 2023, targeting a Brazilian digital certifier and operating with a Go-based encryptor. It uses a double-extortion model by threatening to leak stolen data on a deep web site if the ransom isn’t paid, with capabilities to encrypt remote systems and evade detection. #CrossLock #Go
Keypoints
- CrossLock emerged in April 2023 and uses the Go programming language for its encryptor, signaling cross‑platform capabilities.
- It operates in a double-extortion scheme, including posting targets and leaked data on a deep web site.
- CrossLock can encrypt remote systems by using custom parameters to specify path, host, domain, user, and credentials, enabling remote deployment.
- The payload includes a help menu and debug logs, facilitating user guidance and visibility into its actions.
- It bypasses ETW by patching functions in ntldll and uses API hooking to evade logging.
- The loader stops certain services/processes (backup, databases, security software) and deletes shadow copies, then disables boot recovery to hinder recovery.
- Files are encrypted using Curve25519 and ChaCha20, with the extension .crlk added to encrypted files.
MITRE Techniques
- [T1486] Data Encrypted for Impact – Encrypt the specified path. Quote: ‘Encrypt the specified path’
- [T1021] Remote Services – Remote system to run CrossLock (which can be a DNS or an IP address). Quote: ‘Remote system to run CrossLock (which can be a DNS or an IP address)’
- [T1078] Valid Accounts – Username used to authenticate in the remote system. Quote: ‘Username used to authenticate in the remote system’
- [T1550] Use Alternate Authentication Material – Password of the user specified in “-u” or “–user”’. Quote: ‘Password of the user specified in “-u” or “–user”’
- [T1548.002] Bypass User Account Control – If specified, tries to bypass Windows UAC to run with elevated privileges. Quote: ‘If specified, tries to bypass Windows UAC to run with elevated privileges’
- [T1562.002] Impair Defenses: Disable Windows Event Logging – Bypasses the Event Tracing for Windows (ETW) to evade logs. Quote: ‘bypassing the Event Tracing for Windows (ETW) …’
- [T1562.001] Disable Security Tools – Hardcoded list of services and processes that it tries to stop before encrypting files. Quote: ‘hardcoded list of services and processes that it tries to stop before encrypting files’
- [T1490] Inhibit System Recovery – Delete Windows Shadow Copies using vssadmin. Quote: ‘delete Windows Shadow Copies using vssadmin’
- [T1547.001] Boot or Logon Autostart Execution – Disable boot recovery using bcdedit. Quote: ‘disable boot recovery using bcdedit’
Indicators of Compromise
- [File Extension] context – .crlk – example: document.txt.crlk, image.png.crlk, and other encrypted files
Read more: https://www.netskope.com/blog/netskope-threat-coverage-crosslock-ransomware