Python-based Slycer Ransomware as a Service for Sale on Cybercrime Forum

Summary

A post on a cybercrime forum is advertising Slycer Ransomware, a Python-based malware that encrypts files and sends its decryption key to the attacker.

Category Malware Intelligence
Affected Industries Multiple
Affected Region Global
Source * D4
TLP # GREEN
Reference *Intelligence source and information reliability - Wikipedia # Traffic Light Protocol - Wikipedia

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising Slycer Ransomware as a Service (RaaS).
  • Slycer Ransomware is a Python-based malware that encrypts the files on the victim machine and sends its decryption key to the attacker.
  • Slycer allows threat actors to gather highly sensitive information regarding the affected company and escalate the attack to the next phase including, and not limited to, phishing attacks, social engineering-based attacks, and identity theft.
  • CloudSEK’s Threat Intelligence Research team is validating the authenticity of this post.

Threat actor’s post on the cybercrime forum

Analysis and Attribution

Information from Source

On 29 August 2021, a threat actor published a post on a cybercrime forum, advertising the membership of the Slycer Ransomware generator. The actor claims that there are three subscription plans for users based on time period, namely, one-time, lifetime, and monthly. The Slycer ransomware that is written in python has the following features:

  • It encrypts all files on the victim system using the Fernet symmetric encryption technique, regardless of their extension or file type, except for system files.
  • It uses a customized algorithm developed by the threat actor, to accelerate the encryption process.
  • When the ransomware is executed, it sends a Gmail prompt along with the victim’s customer ID, and the decryption key to the attacker.
  • Once the execution is completed, it deletes all the logs and the key from the victim device and then disables the Task Managers.
  • Slycer then sends customized notes and messages to the victim to collect the ransom.
  • It also allows the attacker to send custom Icons and other applications to the victim’s device.

Additionally, the actor has also provided the following information:

  • A downloadable ransomware file.
  • The price quotation for the ransomware. The price of the entire set-up including the source code ranges from USD 2400 - USD 2600.
  • A YouTube video tutorial demonstrating the working of the ransomware.

Based on information from a sensitive source, the algorithm which is developed in Python uses recursion to lock out all the files for a faster encryption process. So far, there are no broad mentions about ransomware on the open web.

Source Rating
  • The actor is not popular on the forum.
  • The information shared by the actor seems logical but doubtful.

Hence,

  • The reliability of the actor can be rated Not usually reliable (D).
  • The credibility of the advertisement can be rated Doubtful (4).
  • Giving an overall source credibility of D4 .

Impact & Mitigation

image

1 Like