HackerFeeds
All ransomware groups

crosslock

1 tracked victims
·first seen 2023-04-17·last activity 2023-04-17

Group profile

CrossLock is a short-lived Go-based ransomware group that appeared in April 2023 and went dark by July 2023, using Curve25519 and ChaCha20 encryption and double-extortion tactics with only one known confirmed victim in the IT sector in Brazil.

MITRE ATT&CK TTPs

TA0002

Execution

  • T1059Command and Scripting Interpreter

    Utilizes the Windows Command Shell for execution.

TA0004

Privilege Escalation

  • T1548Abuse Elevation Control Mechanism

    Bypasses User Account Control (UAC) to escalate privileges.

TA0005

Defense Evasion

  • T1055Process Injection

    Employs process hollowing to evade detection.

  • T1070Indicator Removal

    Clears Windows event logs to remove evidence.

TA0007

Discovery

  • T1007System Service Discovery

    Discovers system services running on the victim's machine.

  • T1057Process Discovery

    Enumerates running processes on the victim's system.

  • T1083File and Directory Discovery

    Enumerates files and directories on the victim's system.

TA0008

Lateral Movement

  • T1021Remote Services

    Uses SMB/Windows Admin Shares to move laterally within the network.

TA0040

Impact

  • T1486Data Encrypted for Impact

    Encrypts data on the victim's system to extort payment.

  • T1490Inhibit System Recovery

    Deletes volume shadow copies to prevent system recovery.

Recent victims

DateWebsite / victimSectorCountry
2023-04-17
validcertificadora.com.br
validcertificadora.com.brvalidcertificadora.com.br
Agriculture and Food ProductionBR