View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 6, 2023updated 08 Jun 2023 10:13am

Cyclops cybercriminals create info-stealing ransomware

The ransomware gang's new malware also features a user interface which enables criminals to scan information and negotiate with victims.

By Claudia Glover

Ransomware gang Cyclops is selling new malware that steals data from a network while encrypting it, effectively creating a combination of an info-stealer and ransomware. The new malware is effective on Windows, Mac OS and Linux and boasts a user-friendly interface which could lower the bar for carrying out attacks.

A statue of the mythical cyclops, a visual metaphor for the Cyclops ransomware gang.
Ransomware gang Cyclops has turned its gaze on stealing and encrypting data. (Photo by Vladimir Zhoga/Shutterstock)

Cyclops has strong links with two other notorious ransomware gangs, LockBit and Babuk, researchers say.

Info-stealing ransomware created by Cyclops

Analysts at security company Uptycs have uncovered the new malware being touted on dark web forums. It is capable of sweeping up information from a target network, encrypting it depositing it on a server for the perpetrator of the attack to read through at their leisure.

A ransom note for the attack is deposited automatically within the target system.

The cybercriminal who has bought the Cyclops malware then has access to the encrypted files via a user panel which also includes a ransom section, designed to manage the negotiation and payment process.

The new combi-malware is effective on all the main operating systems, Windows, Mac OS and Linux. 

Interestingly, members of Cyclops, called “threat developers” in the report, are monitoring the ransom process like a malevolent IT helpdesk, appearing to be on hand in case of any mishaps. “The threat developers are able to promptly address real-time issues and to provide rewards for valuable suggestions,” Uptycs says.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The dark web customer will download the malware from Cyclops for a share of the profits. From that point on they are ushered through the process via the customer interface, through which they can peruse the stolen data and demand a ransom. 

It is unlikely the purchaser of this malware will have access to much of the profits from the hack, the Uptycs researchers say.

According to the report, Cyclops ransomware encryption logic shares similarities with Babuk ransomware, using the same types of encryption.

The gang also has similar encoding techniques to LockBit. Executable strings are encoded and stored as a stack string in both the Cyclops and the LockBit ransomware. 

The FBI took down a botnet called Cyclops Blink in March 2022, which may be of some relation to the current Cyclops. The botnet was said to be directly linked to Russian security force the GRU.

Read more: Kyocera AVX becomes LockBit’s latest victim

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.