⚠️ Overview

CrossLock is a ransomware family first documented in early 2024 by security researchers at Trend Micro, operating as a human-operated ransomware variant targeting enterprise environments. It is categorized as a sophisticated encryptor that incorporates data exfiltration and double-extortion tactics, believed to be operated by a financially motivated threat group known as TA579 (uncertain attribution per publicly available sources). The malware is written in C++ and uses a combination of AES-256 and RSA-4096 for file encryption, appending the .crosslock extension to encrypted files.

🔧 Technical Capabilities

CrossLock gains initial access via spear-phishing emails with malicious attachments or by exploiting unpatched vulnerabilities in public-facing web applications, such as CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure flaws) reported by Mandiant. It uses Living-off-the-Land (LotL) techniques for lateral movement, including PowerShell and WMI, and deploys a custom C2 framework over HTTPS with dynamic DNS domains. Persistence is achieved through scheduled tasks and registry Run keys, while evasion methods include process hollowing, disabling Windows Defender via registry modifications, and deleting volume shadow copies to prevent recovery. The malware also exfiltrates data to cloud storage services using hardcoded API tokens before encryption.

📜 History & Notable Incidents

CrossLock first surfaced in January 2024 with a campaign targeting healthcare organizations in the United States, as documented in a BleepingComputer report. In March 2024, the group claimed credit for an attack on a regional hospital chain in Texas, demanding a $5 million ransom. No CVEs have been directly attributed to the malware itself, but it exploits previously disclosed vulnerabilities. Law enforcement actions have not been publicly reported as of mid-2024.

🔍 Detection Indicators

Known indicators include SHA256 hashes: e.g., 8a2f1c9b3e4d5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (example from a VirusTotal analysis). Behavioral signatures include the creation of a text file named RECOVER-FILES.txt in each encrypted directory and a mutex named CrossLock_Mutex_2024. Network IOCs include connections to IP ranges 185.225.17.0/24 and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) CrossLock-Client/1.0 as observed by CISA.

☠️ Risk & Impact

CrossLock ransomware causes irreversible file encryption, leading to significant operational disruption and potential data loss. The double-extortion model includes exfiltration of sensitive patient data and financial records, resulting in costly downtime and regulatory fines under HIPAA. Affected sectors include healthcare, education, and manufacturing, with ransom demands typically between $500,000 and $3 million based on victim size, as reported by Recorded Future.

🛡️ Mitigation

Mitigation measures include patching Ivanti Connect Secure and similar vulnerabilities immediately, implementing multi-factor authentication, and maintaining offline backups. Detection rules such as Sigma signatures for process hollowing and scheduled task anomalies are available from SOC-Prime, and endpoint detection rules should block the execution of CrossLock-related binaries with known hashes.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.