YourCyanide Detection: New Self-Propagating Ransomware Variant

New ransomware variant follows in the footsteps of the GonnaCope ransomware, the first strain in the family of CMD-based ransomware that first surfaced in April 2022. Other similar samples that were uploaded to VirusTotal in May 2022 are known as Kekpop and Kekware.

The rising player is dubbed YourCyanide and presumably has all it takes to become the next big threat. The data retrieved from the attacks shows that the ransomware strain doesn’t encrypt any files so far; all the documented damage is that it renames them, causing major inconvenience to the affected users. The hard-to-detect variant abuses Microsoft links, PasteBin, and Discord to drop the malicious payload and propagate.

Researchers have found that the latest variant of the CMD-based ransomware family can snatch user information and evade detection by leveraging its multiple layers of obfuscation.

Detect YourCyanide

The Sigma rules below, released by our perspicacious Threat Bounty developers Aytek Aytemur and Osman Demir, allow for effortless detection of the latest attacks involving the YourCyanide ransomware:

Suspicious YourCyanide Execution by Detection of Associated Commands (via cmdline)

Suspicious Cyanide Ransomware Persistence by Adding of Run Key to Registry (via registry_event)

The rules are aligned with the latest MITRE ATT&CK® framework v.10. addressing the Impact and Execution tactics with Data Encrypted for Impact (T1486) and Command and Scripting Interpreter (T1059) techniques.

Register to the SOC Prime Platform to increase your threat hunting velocity with 185,000+ detection algorithms that integrate with your SIEM, EDR and XDR solution. To access the exhaustive library of Sigma rules to detect cyber ransomware threats, click the Detect & Hunt button below.

To obtain better visibility into threats passing through your network, navigate an ever-changing landscape of threats with a novel solution from SOC Prime – the Cyber Threat Search Engine. The Search Engine is available for free and does not require registration. Give it a go by hitting the Explore Threat Context button.

Detect & Hunt Explore Threat Context

YourCyanide Analysis

According to the available data, the variant descends from the GonnaCope ransomware, which was the first in the series of CMD-based ransomware strains, now being under close observation of security researchers. YourCyanide ransomware was thoroughly analyzed by the Trend Micro Threat Hunting team. Users within a compromised network received a note stating that their system was breached, and the warning followed, indicating that “Kekware and Kekpop (two previous variants) were just the beginning”.

Research data shows that the strains from this ransomware family are still in their development phase, so the analysts are not sure what to expect when they evolve and reach their full potential.

The YourCyanide variant also enables credential theft, compromising a number of applications such as Chrome, Discord, and Microsoft Edge.

Adepts at cybersecurity are more than welcome to join the Threat Bounty Program to publish SOC content on the industry-leading platform and get rewarded for their valuable input. Fetch the opportunity to take your defense & detection routine up a notch!