Category | Malware Intelligence |
Affected Industries | Multiple |
Affected Region | Global |
Source* | D4 |
TLP# | GREEN |
Reference | *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol |
Executive Summary
- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising Slycer Ransomware as a Service (RaaS).
- Slycer Ransomware is a Python-based malware that encrypts the files on the victim machine and sends its decryption key to the attacker.
- Slycer allows threat actors to gather highly sensitive information regarding the affected company and escalate the attack to the next phase including, and not limited to, phishing attacks, social engineering-based attacks, and identity theft.
- CloudSEK’s Threat Intelligence Research team is validating the authenticity of this post.
Analysis and Attribution
Information from Source
On 29 August 2021, a threat actor published a post on a cybercrime forum, advertising the membership of the Slycer Ransomware generator. The actor claims that there are three subscription plans for users based on time period, namely, one-time, lifetime, and monthly. The Slycer ransomware that is written in python has the following features:- It encrypts all files on the victim system using the Fernet symmetric encryption technique, regardless of their extension or file type, except for system files.
- It uses a customized algorithm developed by the threat actor, to accelerate the encryption process.
- When the ransomware is executed, it sends a Gmail prompt along with the victim’s customer ID, and the decryption key to the attacker.
- Once the execution is completed, it deletes all the logs and the key from the victim device and then disables the Task Managers.
- Slycer then sends customized notes and messages to the victim to collect the ransom.
- It also allows the attacker to send custom Icons and other applications to the victim’s device.
- A downloadable ransomware file.
- The price quotation for the ransomware. The price of the entire set-up including the source code ranges from USD 2400 - USD 2600.
- A YouTube video tutorial demonstrating the working of the ransomware.
Source Rating
- The actor is not popular on the forum.
- The information shared by the actor seems logical but doubtful.
- The reliability of the actor can be rated Not usually reliable (D).
- The credibility of the advertisement can be rated Doubtful (4).
- Giving an overall source credibility of D4.
Impact & Mitigation
Impact | Mitigation |
|
|