Ransomware - CrossLock

CrossLock
Decryptor Available
No
Description

If you haven't heard of CrossLock, there's likely a good reason for it. The operators behind the ransomware created a dark web data leak site in early April 2023. At least, that is when security researchers began publishing IoCs and information about the ransomware. Subsequently, the CrossLock ransomware group posted their first and only victim on their data leak site on April 17, 2023. The victim was headquartered in Brazil and operated in the Information Technology (IT) sector. After a few months of being seemingly idle (at least on their data leak site), the site went offline in July and has not appeared since.

As for the technical characteristics of this ransomware, it used an increasingly popular hybrid encryption mechanism that leveraged the ChaCha20 stream cipher to encrypt the files themselves and then used the asymmetric Curve25519 algorithm to encrypt the ChaCha20 key. After encryption, the files are renamed to include the '.crlk' file extension. Before encryption, however, the ransomware drops a ransom note titled '---CrossLock_readme_To_Decrypt---.txt.' The note provides the URL to the data leak site and how to communicate with the operators over Tox messenger. You can view that in the information below.

Ransomware Type
Crypto-Ransomware
HumOR
First Seen
Last Seen
Extortion Types
Direct Extortion
Double Extortion
Communication
Moyen
Identifiant
Tox
Encryption
Type
Hybrid
Files
ChaCha20
Key
Curve25519
File Extension
<file name>.crlk
Ransom Note Name
---CrossLock_readme_To_Decrypt---.txt
Ransom Note Image
Samples (SHA-256)
495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72
Known Victims
Industry Sector Pays Extortion Date Amount (USD)
Information TechnologyBrazil