CrossLock Ransomware

Summary: A New Strain of Ransomware

In mid-April 2023, intelligence researchers discovered a new strain of ransomware called CrossLock. CrossLock follows current trends of malware increasingly being written in the Golang (Go) programming language and using the double-extortion technique in ransomware attacks. It’s capable of performing several actions that reduce the chances of data recovery while simultaneously increasing the attack’s effectiveness.

Go Programming Language

Go is a compiled language, meaning that the code is transformed into machine code before execution, making it harder to reverse engineer. It is designed to be fast and efficient, which can be advantageous for malware that needs to perform operations quickly and with minimal resources. Go is a statically typed language, which can help to identify bugs and potential security issues during the development process. Another advantage of Go is its cross-platform capabilities, where a single codebase can be compiled for different operating systems, making it easier to target multiple platforms with the same malware. Additionally, Go provides access to a vast array of third-party packages, making it easier for threat actors to incorporate pre-built code into their malware, which can save them time and effort in the development process. For these reasons, Go has become increasingly popular among threat actors in recent years.

What is the CrossLock Attack Pattern?

CrossLock is capable of infecting both local and remote systems using built in custom parameters. To assist attackers in executing the ransomware, the creators provide a “help” menu that contains instructions on how to use the specialized parameters, including an example of how to execute CrossLock on a remote system. Once executed, CrossLock attempts to determine if it’s operating in a (Worldwide Intelligence Network Environment) WINE environment, which would allow for loading both Windows dynamic link libraries (DLLs) and Unix shared objects for Windows programs. Next, it uses a common API hooking technique to alter multiple Event Tracing for Windows (ETW) functions to evade detection and conceal activity. Subsequently, CrossLock deletes all shadow copies, clears the application event logs, deletes the backup catalog, disables the automatic startup repair feature, deletes the oldest system state backup, and clears the security event logs. Additionally, CrossLock includes a hardcoded list of over 500 services that it stops before beginning the encryption process. CrossLock encrypts files using a combination of “Curve25519” and “ChaCha20” algorithms, implemented through Go packages. CrossLock operators use double extortion methods by not only stealing the data, but also threatening to release it on the dark web if the ransom isn’t paid.

Targeted Technology

Windows Endpoint OS is the only technology currently targeted in the wild by CrossLock. However, given that it is written in Go, it’s likely more samples will surface targeting other operating systems.

How to Protect your Organization Against CrossLock Ransomware

The discovery of CrossLock ransomware highlights the trend of new malware being written in Go programming language. Coupled with its ability to bypass the use of ETW, CrossLock poses a risk to all organizations. To prevent such attacks, cybersecurity best practices such as conducting regular backups, using reputed anti-virus and internet security software, and refraining from opening untrusted links and email attachments must be followed.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: