Full Report
Crystal Rans0m is a previously undocumented hybrid ransomware family developed in Rust programming language seen for the first time in the wild on September 2nd, 2023. Interestingly, it does not only encrypt victim’s files, demanding a ransom for their release, but also steals sensitive information from the infected systems. This dual-threat approach means that attackers […] The post Crystal Rans0m: Emerging hybrid ransomware with stealer capabilities appeared first on Outpost24.
Analysis Summary
# Tool/Technique: Crystal Rans0m
## Overview
Crystal Rans0m is a previously undocumented, hybrid ransomware family developed in Rust. Its primary purpose is to encrypt victim's files for a ransom, but uniquely, it also functions as an information stealer, exfiltrating sensitive data before encryption. This **Stealer-as-a-Ransomware** approach maximizes the attackers' leverage. Ransom payments are demanded in Monero (XMR).
## Technical Details
- Type: Malware family (Hybrid Ransomware/Stealer)
- Platform: Windows (Implied by paths and API usage)
- Capabilities: File encryption, data exfiltration (browsers, Steam, Discord, Riot Games), C2 communication via Discord Webhooks, anti-analysis/anti-VM checks, Monero ransom payment.
- First Seen: September 2nd, 2023 (Initial sample analyzed); newer sample detected August 2024.
## MITRE ATT&CK Mapping
The description suggests the following core behaviors, though specific mappings for this novel malware are not detailed in the text:
- [TA0011 - Collection]
- [T1005 - Data from Local System] (Stealing browser/game data)
- [TA0009 - Collection] (If exfiltration is the primary goal post-theft)
- [T1567 - Exfiltration Over Web Service] (Using Discord Webhooks)
- [TA0012 - Impact]
- [T1486 - Data Encrypted for Impact]
- [TA0005 - Defense Evasion]
- [T1027 - Obfuscated Files or Information] (Encrypted C2 configuration)
## Functionality
### Core Capabilities
- **Hybrid Operation:** Capable of both encryption (ransomware) and data theft (stealer) within a single executable.
- **Configuration Loading:** Decrypts its configuration at runtime, including the Discord Webhook URI.
- **Data Exfiltration:** Targets data from browsers (many variants listed), Steam, Discord clients, and Riot Games clients.
- **C2 Communication:** Uses a hardcoded, encrypted, and Base64-decoded Discord Webhook for exfiltrating stolen data and the encryption key/nonce.
- **Ransom Payment:** Requires payment in Monero.
### Advanced Features
- **Anti-Analysis/Anti-VM:** Implements checks against virtualization software (like VirtualBox and VMware) and debugging/analysis tools by searching for specific files, registry keys, and running processes.
- **File Deletion Technique:** Performs file deletion without using standard `DeleteFileA/W` APIs after reading targeted data into a temporary working directory (`%Temp%\\wintemp.\\`).
- **Configuration Decryption:** Uses a hardcoded key (also used for decrypting the ransom note) employing simple XOR and array operations.
## Indicators of Compromise
- File Hashes: SHA256 for analyzed sample: `15219aa22db99f064c47c224a205cdd3ed438dabd2d2593242ed2882e6458311`
- File Names: N/A (Not explicitly detailed, but operates from a custom working folder)
- Registry Keys: Numerous registry keys associated with Sandboxie, VirtualBox, VMware Tools, and Wine were checked during anti-analysis checks (see full list in context).
- Network Indicators: Discord Webhooks (specific URI is encrypted within the malware payload).
- Behavioral Indicators:
- Directory creation under `%Temp%\\wintemp.\\`.
- Searching for processes associated with analysis tools (e.g., `wireshark.exe`, `ida64.exe`, `regedit.exe`, `taskmgr.exe`).
- Checking for registry keys related to VM environments (e.g., `VBOX__`, `VMware, Inc.`).
## Associated Threat Actors
- Currently unattributed. Does not share similarities with other known malware families.
## Detection Methods
- Signature-based detection (based on the known sample hash).
- Behavioral detection focusing on:
- Decrypting configuration data at runtime.
- Creation of the malware working directory `%Temp%\\wintemp.\\`.
- Enumerating paths associated with targeted browsers and gaming clients.
- Communication attempts to Discord Webhooks originating from an unusual process.
- YARA rules could be developed based on the observed Rust compilation traits or specific XOR/decryption routines.
## Mitigation Strategies
- **Network Segmentation:** Restrict outbound traffic, particularly to known C2 platforms like Discord APIs/Webhooks, if possible.
- **Endpoint Protection:** Configure EDR/AV to flag processes attempting to access sensitive configuration stores or performing high volumes of file read/write/delete operations in temporary directories.
- **Hardening:** Implement application allow-listing to prevent execution of unexpected Rust binaries from `%Temp%`.
- **Monitor for VM/Debugging Artifacts:** Deploy rules to alert on processes scanning for artifacts related to VirtualBox, VMware, or common analysis tools.
## Related Tools/Techniques
- **RedEnergy:** Also cited as a Stealer-as-a-Ransomware hybrid.
- **FTCODE:** A ransomware family observed incorporating stealing capabilities.
- **RAT-as-a-Ransomware:** A conceptual category exemplified by VenomRAT embedding ransomware components.