The latest iteration of CMD-based ransomware is sophisticated and tricky to detect – and integrates token theft and worming capabilities into its feature set.
A new CMD-based ransomware variant is still under development, but researchers warn that its poisonous combination of multiple layers of obfuscation and the sneaky integration of legitimate service links into its attack make it a potentially formidable threat.
YourCyanide traces its roots back to the GonnaCope ransomware family first discovered in April, a new report from the Trend Micro threat hunting team explains. It doesn't actually encrypt anything yet (researchers say that's likely coming soon), but it does rename all targeted files, steal information, and pilfer access tokens from popular applications like Chrome, Discord, and Microsoft Edge. It also self-propagates.
YourCyanide includes a few new tactics, including using PasteBin, Discord, and Microsoft links to download its payload in stages, and hiding behind Enable Delayed Expansion functionality, the analysts note.
"While YourCyanide and its other variants are currently not as impactful as other families, it represents an interesting update to ransomware kits by bundling a worm, a ransomware, and an information stealer into a single mid-tier ransomware framework," the the ransomware variant report says. "It is also likely that these ransomware variants are in their development stages, making it a priority to detect and block them before they can evolve further and do even more damage."
About the Author(s)
You May Also Like
Defending Against Today's Threat Landscape with MDR
April 18, 2024The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024