Executive Summary

• CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising Slycer Ransomware as a Service (RaaS).
• Slycer Ransomware is a Python-based malware that encrypts the files on the victim machine and sends its decryption key to the attacker.
• Slycer allows threat actors to gather highly sensitive information regarding the affected company and escalate the attack to the next phase including, and not limited to, phishing attacks, social engineering-based attacks, and identity theft.
• CloudSEK’s Threat Intelligence Research team is validating the authenticity of this post.

Analysis and Attribution

Information from Source

• It encrypts all files on the victim system using the Fernet symmetric encryption technique, regardless of their extension or file type, except for system files.
• It uses a customized algorithm developed by the threat actor, to accelerate the encryption process.
• When the ransomware is executed, it sends a Gmail prompt along with the victim’s customer ID, and the decryption key to the attacker.
• Once the execution is completed, it deletes all the logs and the key from the victim device and then disables the Task Managers.
• Slycer then sends customized notes and messages to the victim to collect the ransom.
• It also allows the attacker to send custom Icons and other applications to the victim’s device.

• A downloadable ransomware file.
• The price quotation for the ransomware. The price of the entire set-up including the source code ranges from USD 2400 - USD 2600.
• A YouTube video tutorial demonstrating the working of the ransomware.

Source Rating

• The actor is not popular on the forum.
• The information shared by the actor seems logical but doubtful.

• The reliability of the actor can be rated Not usually reliable (D).
• The credibility of the advertisement can be rated Doubtful (4).
• Giving an overall source credibility of D4.

Impact & Mitigation