Ransomware gang Cyclops is selling new malware that steals data from a network while encrypting it, effectively creating a combination of an info-stealer and ransomware. The new malware is effective on Windows, Mac OS and Linux and boasts a user-friendly interface which could lower the bar for carrying out attacks.
Cyclops has strong links with two other notorious ransomware gangs, LockBit and Babuk, researchers say.
Info-stealing ransomware created by Cyclops
Analysts at security company Uptycs have uncovered the new malware being touted on dark web forums. It is capable of sweeping up information from a target network, encrypting it depositing it on a server for the perpetrator of the attack to read through at their leisure.
A ransom note for the attack is deposited automatically within the target system.
The cybercriminal who has bought the Cyclops malware then has access to the encrypted files via a user panel which also includes a ransom section, designed to manage the negotiation and payment process.
The new combi-malware is effective on all the main operating systems, Windows, Mac OS and Linux.
Interestingly, members of Cyclops, called “threat developers” in the report, are monitoring the ransom process like a malevolent IT helpdesk, appearing to be on hand in case of any mishaps. “The threat developers are able to promptly address real-time issues and to provide rewards for valuable suggestions,” Uptycs says.
The dark web customer will download the malware from Cyclops for a share of the profits. From that point on they are ushered through the process via the customer interface, through which they can peruse the stolen data and demand a ransom.
It is unlikely the purchaser of this malware will have access to much of the profits from the hack, the Uptycs researchers say.
Cyclops ransomware and the links to LockBit and Babuk
According to the report, Cyclops ransomware encryption logic shares similarities with Babuk ransomware, using the same types of encryption.
The gang also has similar encoding techniques to LockBit. Executable strings are encoded and stored as a stack string in both the Cyclops and the LockBit ransomware.
The FBI took down a botnet called Cyclops Blink in March 2022, which may be of some relation to the current Cyclops. The botnet was said to be directly linked to Russian security force the GRU.