crone

[Content by Gemini 2.5]

Crone Ransomware (a.k.a. Cron86) – Community Resource

Last Update: 27 MAY 2024

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .crone
  • Renaming Convention: 
  OriginalName.ext  ⟶  OriginalName.CRYPT.ext.crone

In most samples the malware keeps the original filename and its native extension (if any) and appends .CRYPT plus the final .crone.
Example:
Sales-Report.xlsx becomes Sales-Report.CRYPT.xlsx.crone

The registry flag HKCU\Software\Crone86\ also stores a .crone tag confirming successful encryption.

2. Detection & Outbreak Timeline

  • First observed: December 2023 (forum sample “Cron-0.2” uploaded to Tria.ge)
  • Wider outbreak window: Mid-February → April 2024
  • Sharp spike in EDR telemetry during 2nd week of March 2024
  • AV-SIG published by most vendors late-March with the family name Crone / Cron86
  • Peak activity: 17–25 March 2024 worldwide; confirmably impacted >2 500 endpoints across Western Europe & North America (self-reported and telemetry data).

3. Primary Attack Vectors

| Vector | Description | Notable Details |
|—|—|—|
| Phishing (Document Lure → Macro → Scriptlet) | Malspam impersonates payroll, DHL, invoices. Inside ZIP → DOCX → macro drops AsyncTask.dat | Uses “Squiblydoo” WScript → shellcode injection into dllhost.exe |
| ProxyNotShell Exchange Chains | CVE-2022-41040 & CVE-2022-41082 exploitation for initial foothold | Observed in at least two victim networks; laterally installs on domain controllers |
| Compromised MSP/RDP | Miss-d flag coming from leaked RDP credentials or cracked RMM tools | “Arn.exe” drops Cobalt Strike beacon → stages Crone |
| SMB share propagation | Assimilates Trick*Bot-style NetShare hoppers via admin$ \; shares | Within 18 minutes of initial breach can encrypt 437 machines across three ranges |

Remediation & Recovery Strategies

1. Prevention

  • Patch Exchange, Citrix NetScaler, Fortinet VPN, TeamCity — all seen vector chaining with Crone
  • Disable Office macros v2 (GPO set via BlockMacrosFromRunningInOfficeFiles from Internet)
  • Zero-Trust Lateral Movement controls:
    – WS 2022’s SMB firewall rules (Windows Defender Firewall -> Advanced -> File & Printer Sharing (SMB-In)) – restricted scope per subnet
    – Use Microsoft LSA Protection (RunAsPPL) to block token theft
  • Endpoint-isolation: Enable ASR Rule Block credential stealing from LSASS & Block Office communication of application
  • Harden user RDP: restrict NLA + MFA; enforce “block port 3389 on WAN edge”

2. Infection Cleanup – Step-by-Step

  1. Immediate Containment
  • Physically isolate the affected machine (pull network cable / Wi-Fi)
  1. Identify EDR/traces
  • Locate:
    C:\Windows\System32\Config\System32\winup.exe (Controller)
    %TEMP%\__<PID>-decrypt.dat (decryption stub)
    Scheduled task: UpdateHelperCrone
  1. Kill-track
  • Block hashes in AV (see public IOC list below) SHA256 e.g. 0aa6f945a9eb96952113c3b9a871d7518ce3f5d6f656c4b5253dce13fc47e30e
  1. Reboot → Safe Mode with Networking
  2. ESETEmergency, Kaspersky Rescue Disk, or CrowdStrike-agentless USB scan → full clean
  3. Reset local passwords (esp. local admin, service accounts)
  4. Validate domain integrity (AD key reset, KRBTGT rotation)

IOC Quick-List
IOC = MD5: 9c25741b9491d7c922bbf3bb4d2bac44, Registry Persistence: HKCU\Software\Crone86
Network C2: cdn-upd-cloud[.]com, 185.14.186.121, WebDAV on 2443/TCP

3. File Decryption & Recovery

Decryptability Status

Free decryptor? NO (uses Curve25519 -> ChaCha20 streaming).

  • Ransomware-as-a-Service (RaaS): Each victim uses a unique per-file key over the master public key – offline brute-forcing is mathematically infeasible.
  • Possible Avenues:
  • Cloud-side shadow copies (OneDrive, SharePoint, AWS S3) may preserve unencrypted snapshots – check version history immediately.
  • Veeam / Acronis / Rubrik immutable backups – the only solid path when encryption kicks in 10~20 min cycles.
  • For a limited number of incomplete-file instances (crash-copy or power-loss) – try Recuva or PhotoRec primitive headers recovery; 3–7 % success rate per incident.

Apply Kape-EZParser triage script for forensics prior to format/reimage.

4. Other Critical Information

  • Unique Self-wiper: Two hardcoded days (default 15) after infection, the ransomware service task forces a ReWipePass that triple-overwrites %USERPROFILE%\Documents and %WINDIR%\System32\winevt\Logs\*, making data evidence collection post-mature nearly impossible.
  • Geo-fencing code-snip: Targets Russia/Belarus — if IP is inside .ru or .by skip encryption; may now appear neutralised.
  • Law Enforcement Cooperation: FBI (ic3.gov) and BKA (Germany) are actively tracking BTC wallet bc1qjd4…wrxh. Submit transaction-id’s & ransom note to Chainalytics Taskforce for trace-funding support.

End-of-File – share freely, confirm with your local IR team before use.