If you haven't heard of CrossLock, there's likely a good reason for it. The operators behind the ransomware created a dark web data leak site in early April 2023. At least, that is when security researchers began publishing IoCs and information about the ransomware. Subsequently, the CrossLock ransomware group posted their first and only victim on their data leak site on April 17, 2023. The victim was headquartered in Brazil and operated in the Information Technology (IT) sector. After a few months of being seemingly idle (at least on their data leak site), the site went offline in July and has not appeared since.
As for the technical characteristics of this ransomware, it used an increasingly popular hybrid encryption mechanism that leveraged the ChaCha20 stream cipher to encrypt the files themselves and then used the asymmetric Curve25519 algorithm to encrypt the ChaCha20 key. After encryption, the files are renamed to include the '.crlk' file extension. Before encryption, however, the ransomware drops a ransom note titled '---CrossLock_readme_To_Decrypt---.txt.' The note provides the URL to the data leak site and how to communicate with the operators over Tox messenger. You can view that in the information below.
| Industry Sector | Country | Extortion Date | Amount (USD) |
|---|---|---|---|
| Information Technology | Brazil |