Python-based Slycer Ransomware as a Service for Sale on Cybercrime Forum

A post on a cybercrime forum is advertising Slycer Ransomware, a Python-based malware that encrypts files and sends its decryption key to the attacker
Updated on
April 19, 2023
Published on
September 22, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category Malware Intelligence
Affected Industries Multiple
Affected Region Global
Source* D4
TLP# GREEN
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising Slycer Ransomware as a Service (RaaS).
  • Slycer Ransomware is a Python-based malware that encrypts the files on the victim machine and sends its decryption key to the attacker.
  • Slycer allows threat actors to gather highly sensitive information regarding the affected company and escalate the attack to the next phase including, and not limited to, phishing attacks, social engineering-based attacks, and identity theft.
  • CloudSEK’s Threat Intelligence Research team is validating the authenticity of this post.
  [caption id="attachment_17929" align="aligncenter" width="778"]Threat actor’s post on the cybercrime forum Threat actor’s post on the cybercrime forum[/caption]  

Analysis and Attribution

 
Information from Source
On 29 August 2021, a threat actor published a post on a cybercrime forum, advertising the membership of the Slycer Ransomware generator. The actor claims that there are three subscription plans for users based on time period, namely, one-time, lifetime, and monthly.  The Slycer ransomware that is written in python has the following features:
  • It encrypts all files on the victim system using the Fernet symmetric encryption technique, regardless of their extension or file type, except for system files.
  • It uses a customized algorithm developed by the threat actor, to accelerate the encryption process.
  • When the ransomware is executed, it sends a Gmail prompt along with the victim’s customer ID, and the decryption key to the attacker.
  • Once the execution is completed, it deletes all the logs and the key from the victim device and then disables the Task Managers.
  • Slycer then sends customized notes and messages to the victim to collect the ransom.
  • It also allows the attacker to send custom Icons and other applications to the victim’s device.
  Additionally, the actor has also provided the following information:
  • A downloadable ransomware file.
  • The price quotation for the ransomware. The price of the entire set-up including the source code ranges from USD 2400 - USD 2600.
  • A YouTube video tutorial demonstrating the working of the ransomware.
  Based on information from a sensitive source, the algorithm which is developed in Python uses recursion to lock out all the files for a faster encryption process. So far, there are no broad mentions about ransomware on the open web.  
Source Rating
  • The actor is not popular on the forum.
  • The information shared by the actor seems logical but doubtful.
Hence,
  • The reliability of the actor can be rated Not usually reliable (D).
  • The credibility of the advertisement can be rated Doubtful (4).
  • Giving an overall source credibility of D4.
 

Impact & Mitigation

 
Impact Mitigation
  • The ransomware can be used to exfiltrate sensitive PII (Personally Identifiable Information) from the victim device. This information can potentially be used by threat actors to conduct various attacks such as:
    • Social engineering attacks
    • Phishing attacks
    • Identity theft
  • A ransomware attack is capable of damaging an organization’s reputation, customer trust, and finances.
  • Update all systems and applications with the latest patches.
  • Use a regular password update policy, and avoid password reuse for multiple accounts.
  • Use MFA (Multi-Factor Authentication) across logins.
  • Patch all the vulnerable and exploitable endpoints.
  • Do not download any link that seems suspicious or malicious.
 

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations