Operators of the Cyclops RaaS service (Ransomware-as-a-Service, ransomware as a service) have added a malware that steals data to their product range. Advertising of the new product was tracked on hacker forums by researchers from Uptycs.
Apparently, the new service is aimed at those who use a double blackmail scheme: not only encrypts data,but also steals important files and threatens publication in case of non-payment of ransom. For an additional component, subscribers are charged a share of the profit.
The Cyclops cryptographer is aimed at different platforms: Windows (64-bit), macOS, Linux. The macOS and Linux versions are written in Golang.
The malware can forcibly terminate processes that interfere with its work, and uses a complex encryption scheme that involves the use of symmetric and asymmetric ciphers. Cyclops ' logic reminded Babuk analysts that when running on Windows machines, both use elliptic Diffie-Hellman curves (Curve25519) and the HC-256 stream cipher, as well as a combination of Curve25519 and ChaCha.
After encrypting the content, a public key (embedded in the malware code), a CRC32 hash, and a token are written to the end of the file to avoid re-encryption. An extension is added to the processed files .CYCLOPS. Upon completion of encryption, a ransom note is created in the system with a link to the onion site for data recovery.
The infostealer module, which can be connected from the admin panel, is also written in Go and sharpened for Windows and Linux. The malware collects information about the infected machine (OS data, computer name, number of processes, domain controller that is used for logging in). Files of interest are searched by name and extension; all mining is uploaded to a remote server.
The version of the stealer for 64-bit Windows is downloaded as an archive file containing stealer.exe and config.json with lists of target names, extensions, and sizes. When executed, the malware reads data from config. json, lists folders, and searches for the necessary objects in them. When it finds a match, it archives the contents of the file (ZIP), passwords the total, and sends it to the operator's server.
The infostiler for Linux is also available to RaaS clients as an archive, but with slightly different contents-stealer. linux and config. json. According to Uptycs, this module is similar in functionality to the Windows version.
Apparently, the new service is aimed at those who use a double blackmail scheme: not only encrypts data,but also steals important files and threatens publication in case of non-payment of ransom. For an additional component, subscribers are charged a share of the profit.
The Cyclops cryptographer is aimed at different platforms: Windows (64-bit), macOS, Linux. The macOS and Linux versions are written in Golang.
The malware can forcibly terminate processes that interfere with its work, and uses a complex encryption scheme that involves the use of symmetric and asymmetric ciphers. Cyclops ' logic reminded Babuk analysts that when running on Windows machines, both use elliptic Diffie-Hellman curves (Curve25519) and the HC-256 stream cipher, as well as a combination of Curve25519 and ChaCha.
After encrypting the content, a public key (embedded in the malware code), a CRC32 hash, and a token are written to the end of the file to avoid re-encryption. An extension is added to the processed files .CYCLOPS. Upon completion of encryption, a ransom note is created in the system with a link to the onion site for data recovery.
The infostealer module, which can be connected from the admin panel, is also written in Go and sharpened for Windows and Linux. The malware collects information about the infected machine (OS data, computer name, number of processes, domain controller that is used for logging in). Files of interest are searched by name and extension; all mining is uploaded to a remote server.
The version of the stealer for 64-bit Windows is downloaded as an archive file containing stealer.exe and config.json with lists of target names, extensions, and sizes. When executed, the malware reads data from config. json, lists folders, and searches for the necessary objects in them. When it finds a match, it archives the contents of the file (ZIP), passwords the total, and sends it to the operator's server.
The infostiler for Linux is also available to RaaS clients as an archive, but with slightly different contents-stealer. linux and config. json. According to Uptycs, this module is similar in functionality to the Windows version.
