The Cyclops group has developed multi-platform ransomware that can infect Windows, Linux, and macOS systems.
The Cyclops group actively promotes their offerings on hacker forums and seeks a share of the profits from users who use their malware.
What do Cyclops Ransomware group do ?
Cyclops has a dedicated panel for distributing their ransomware across Windows, Linux, and MacOS operating systems. This panel has separate binaries for the additional stealer component, catering specifically to Linux and Windows.
Upon execution, the stealer reads the config.json file located in the same directory as its execution. The config file contains a list of filenames along with corresponding extensions and sizes.
Researchers discovered that using the GetLogicalDriveStrings API, the payload retrieves information about the logical drives in the system and then enumerates the folders, dropping a ransom note file named “How To Restore Your Files.txt” onto the disk.
“The threat developers are able to promptly address real-time issues and to provide rewards for valuable suggestions,” Uptycs says.
The Linux version of the info-stealer is also obtained from the Cyclops admin panel as an archive file containing the stealer.linux and config.json. This stealer functionality is similar to the Windows version.
According to the report, Cyclops ransomware encryption logic shares similarities with Babuk ransomware, using the same types of encryption.