Skip to content

Hide Navigation Hide TOC

crosslock (e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b)

CrossLock ransomware was first observed in April 2023, targeting an IT services firm in Brazil using a double‑extortion approach—encrypting data and threatening to leak it publicly. Written in Go, it uses a hybrid encryption scheme combining ChaCha20 for file encryption with Curve25519 for key protection. Victims see their files renamed with the .crlk extension and ransom notes titled ---CrossLock_readme_To_Decrypt---.txt. The malware includes advanced techniques like Event Tracing for Windows (ETW) bypass and process mimicking (e.g., Cybereason processes) for stealth. It was publicly tracked until July 2023, after which activity (and its leak site) went offline.

Cluster A Galaxy A Cluster B Galaxy B Level
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern crosslock (e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b) Ransomware 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern crosslock (e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b) Ransomware 1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern crosslock (e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b) Ransomware 1
File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern crosslock (e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b) Ransomware 1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern crosslock (e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b) Ransomware 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern crosslock (e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b) Ransomware 1
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern crosslock (e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b) Ransomware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern crosslock (e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b) Ransomware 1
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern crosslock (e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b) Ransomware 1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern crosslock (e203cc8c-6df9-5561-b7f3-ab65ee4a8e6b) Ransomware 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2