Python-based Slycer Ransomware as a Service for Sale on Cybercrime Forum

Category	Malware Intelligence
Affected Industries	Multiple
Affected Region	Global
Source*	D4
TLP#	GREEN
Reference	*https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising Slycer Ransomware as a Service (RaaS).
Slycer Ransomware is a Python-based malware that encrypts the files on the victim machine and sends its decryption key to the attacker.
Slycer allows threat actors to gather highly sensitive information regarding the affected company and escalate the attack to the next phase including, and not limited to, phishing attacks, social engineering-based attacks, and identity theft.
CloudSEK’s Threat Intelligence Research team is validating the authenticity of this post.

Threat actor’s post on the cybercrime forum

Analysis and Attribution

Information from Source

On 29 August 2021, a threat actor published a post on a cybercrime forum, advertising the membership of the Slycer Ransomware generator. The actor claims that there are three subscription plans for users based on time period, namely, one-time, lifetime, and monthly. The Slycer ransomware that is written in python has the following features:

It encrypts all files on the victim system using the Fernet symmetric encryption technique, regardless of their extension or file type, except for system files.
It uses a customized algorithm developed by the threat actor, to accelerate the encryption process.
When the ransomware is executed, it sends a Gmail prompt along with the victim’s customer ID, and the decryption key to the attacker.
Once the execution is completed, it deletes all the logs and the key from the victim device and then disables the Task Managers.
Slycer then sends customized notes and messages to the victim to collect the ransom.
It also allows the attacker to send custom Icons and other applications to the victim’s device.

Additionally, the actor has also provided the following information:

A downloadable ransomware file.
The price quotation for the ransomware. The price of the entire set-up including the source code ranges from USD 2400 - USD 2600.
A YouTube video tutorial demonstrating the working of the ransomware.

Based on information from a sensitive source, the algorithm which is developed in Python uses recursion to lock out all the files for a faster encryption process. So far, there are no broad mentions about ransomware on the open web.

Source Rating

The actor is not popular on the forum.
The information shared by the actor seems logical but doubtful.

Hence,

The reliability of the actor can be rated Not usually reliable (D).
The credibility of the advertisement can be rated Doubtful (4).
Giving an overall source credibility of D4.

Impact & Mitigation

Impact	Mitigation
The ransomware can be used to exfiltrate sensitive PII (Personally Identifiable Information) from the victim device. This information can potentially be used by threat actors to conduct various attacks such as: Social engineering attacks Phishing attacks Identity theft A ransomware attack is capable of damaging an organization’s reputation, customer trust, and finances.	Update all systems and applications with the latest patches. Use a regular password update policy, and avoid password reuse for multiple accounts. Use MFA (Multi-Factor Authentication) across logins. Patch all the vulnerable and exploitable endpoints. Do not download any link that seems suspicious or malicious.