Crystal Rans0m is a new hybrid ransomware family that encrypts victims’ files while also stealing sensitive information from browsers and gaming platforms, first seen in September 2023. It uses a modular Rust-based framework with Discord webhook-based exfiltration, Monero payments, and anti-analysis techniques to maximize monetization. #CrystalRans0m #StealerAsRansomware #DiscordWebhook #Monero #Steam #RiotGames #Session #SALSA20
Keypoints
- Crystal Rans0m is a hybrid ransomware family that encrypts data and steals information (Stealer-as-Ransomware).
- Developed in Rust and uses a Discord webhook for data exfiltration and command/control communications.
- Targets browsers, Steam, Discord, and Riot Games to harvest credentials and sensitive data.
- Ransom payments are requested in Monero to enhance attacker anonymity.
- Employs evasion techniques including virtualization/sandbox checks, anti-analysis, and registry-based persistence.
- Recent August 2024 samples show a modular design, with some components removed or configurable, suggesting a deployable toolkit.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Brief description of how it was used. ‘Utilizes scripting languages for execution of commands.’
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Brief description of how it was used. ‘Creates entries in the registry for persistence.’
- [T1027] Obfuscated Files or Information – Brief description of how it was used. ‘Uses obfuscation techniques to hide malicious code.’
- [T1140] Deobfuscate/Decode Files or Information – Brief description of how it was used. ‘Decodes obfuscated information during execution.’
- [T1055] Process Injection – Brief description of how it was used. ‘Injects code into other processes to evade detection.’
- [T1562.001] Impair Defenses: Disable or Modify Tools – Brief description of how it was used. ‘Disables security tools to avoid detection.’
- [T1497] Virtualization/Sandbox Evading – Brief description of how it was used. ‘Checks for virtual machine environments to avoid execution.’
- [T1082] System Information Discovery – Brief description of how it was used. ‘Gathers system information to tailor its attack.’
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Brief description of how it was used. ‘Steals credentials stored in web browsers.’
- [T1567.004] Exfiltration Over Web Service: Exfiltration Over Webhook – Brief description of how it was used. ‘Uses webhooks for data exfiltration.’
- [T1486] Data Encrypted for Impact – Brief description of how it was used. ‘Encrypts data to demand ransom.’
- [T1657] Financial theft – Brief description of how it was used. ‘Targets financial gain through ransom payments.’
Indicators of Compromise
- [Hash] Crystal Rans0m file hashes – bed70b08cf8b00b4e6b04acd348b5e0343d207f3083e1c58261679706bd10318, 15219aa22db99f064c47c224a205cdd3ed438dabd2d2593242ed2882e6458311, and 3 more hashes
- [Domain] Discord webhooks used for data exfiltration – discord.com
- [Domain] Negotiation platform referenced – getsession.org
- [File] Ransom note file – gui.hta (located in %Temp%), loaded via mshta.exe
- [File] Browser passwords and data files exfiltrated – passwords.txt
Read more: https://outpost24.com/blog/crystal-ransom-hybrid-ransomware/