YourCyanide Ransomware Analysis Findings

Industry: N/A | Level: Tactical | Source: TrendMicro

Trend Micro shared its investigation findings after analyzing various CMD-based ransomware variants related to YourCyanide ransomware. Analysis of the ransomware has identified the incorporation of PasteBin, Discover and Microsoft document links used to download necessary payloads. Development of the YourCyanide ransomware appears to be in-progress. Trend Micro has identified the malware's infection flow arriving on hosts typically as a malicious LNK file, triggering a PowerShell command to initiate a download from Discord for the YourCyanide.exe executable that launches a CMD file downloading a script from Pastebin and creating a registry run key. The CMD file also stops various anti-virus/defense services and creates an account for persistence. For lateral movement capabilities the malware enables RDP with netsh and creates VBS files to spread itself via email.

Anvilogic Scenario:

• YourCyanide Ransomware - Infection Chain

Anvilogic Use Cases:

• Symbolic OR Hard File Link Created
• Executable File Written to Disk
• Executable Process from Suspicious Folder
• Suspicious Executable by Powershell
• Executable Create Script Process
• New AutoRun Registry Key
• Service Stop Commands
• Create/Add Local/Domain User
• Wscript/Cscript Execution
• RDP Enabled