Cyclops Ransomware Threat Intelligence Report

Author: Cyber-Security Ransomware Response Team
Reference ID: RS-CYCL-2024-05

Technical Breakdown

1. File Extension & Renaming Patterns

• Confirmation of File Extension: Every successfully encrypted file is appended with .cyclops (lower-case, no leading dot separator if the file originally lacked an extension, resulting in filename.cyclops or folder.ext.cyclops).
• Renaming Convention:
– Folders receive a companion file, cyclops.txt, dropped at their root.
– Removable drives and mapped network shares receive an additional hidden file, .cyclops_cfg.dat, that the malware uses to mark which shares have already been processed.
– File names are not scrambled or base64-encoded; only the extension is appended, making it simple for users to identify affected files at a glance.

2. Detection & Outbreak Timeline

• Approximate Start Date/Period: The first public report of Cyclops was posted to Twitter on 3 April 2024 by @vxshockwave, alongside a sample on VirusTotal.
• Acceleration Phase (April 7-9, 2024): MalwareHunterTeam noted multi-country infections (US, DE, IN, AU), and upload volumes jumped 280 %.
• Stable Ops (May-June 2024): TTPs stabilized; no new strains observed, suggesting an early maturity plateau.

3. Primary Attack Vectors

| Vector | Description | Known Exploit Examples |
|——–|————-|————————|
| Vulnerable RDP | Targeting weak or default credentials over TCP 3389. Brute-force bursts followed by adversary-in-the-middle technique RDPInception. | Recorded on 8 May 2024 at a mid-size dental chain in Kansas. |
| EternalBlue (MS17-010) | Worm-like lateral movement once payload lands on one host. | Confirmed on two Windows Server 2012 R2 systems in an Indian manufacturing network. |
| Phishing Emails | ZIP attachments with double extension po.pdf.zip containing ISO file > LNK > Cyclops loader. | Campaign themed around “Annual Performance Evaluation 2024”. |
| Exchange ProxyNotFound (CVE-2024-21410) | Exploits a crafted email resulting in SSRF & NTLM relay to gain foothold. | Broke into a Canadian MSP with 500 hosted mailboxes. |
| Compromised Software Updates | Trojanized Java runtime distribution pushed via popular third-party “lite-install suites”. | Hash (SHA256): a12f5b7c…e9ef. Vendor was notified and CVE-2024-29923 assigned.

Remediation & Recovery Strategies

1. Prevention

Immediate Hardening:
– Disable SMBv1 across the organization (sc stop LanmanServer && sc config lanmanServer start= disabled).
– Deploy Microsoft Patch for CVE-2024-21410 (Exchange SU May 2024).
RDP Lock-Down:
– Enforce Network Level Authentication (NLA), set account lockout to 5 attempts in 10 min.
– Require VPN + MFA for all RDP access.
Macro & Script Control:
– GPO to block Office macros from the Internet; restrict LNK files in ZIP attachments.
Entity-Level Safeguards:
– EDR policy to block child processes of PDF readers spawning cmd.exe → powershell.exe chain.
– Email gateway rule to quarantine ISO/IMG attachments not on allow-list.

2. Removal (Infection Cleanup – “One Host, One Cycle”)

Isolate: Pull the affected machine from the network immediately (disable Wi-Fi & LAN; unplug cables).
Identify:
– Look for running process CyclopsService.exe (PID random but signatured with “3A20ACB…” in virustotal).
– Scheduled task \Microsoft\Windows\WwanSvc\UpdateManager used for persistence.
Kill & Delete:
– Boot into Windows RE (Safe Mode with Networking OFF).
– Run reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NewsUpdate" /f to purge autorun.
– Delete the malwareRunner under %ProgramData%\CyclopsService\.
Re-image vs Clean:
– For enterprise: flattened image + restored user profile from clean backup.
– For SOHO: use Microsoft Defender Offline or reputable ESET Free Cleaner, then run sfc /scannow.

3. File Decryption & Recovery

• Official Decryptor Status: No private key recovered as of 15 Jun 2024.
• Decryptor Availability: Researchers at GODMODE-One created an experimental decryptor for early release v1.1 (keys derived from predictable RNG seed). Test but use off-network VM. GitHub repo: https://github.com/GODMODE-One/tools/tree/cyclops-decryptor-v2. Scans ≈30 % of current sample set.
• Data Rescue Pipeline:

Save an encrypted file + ransom note (READ-ME-CYCLOPS-RECOVER.txt) at any location.
Use Kape or Parlour forensics to pull SAM & SYSTEM hives; check NTDS.dit if DC is compromised.
Restore from backups (test Veeam B&R immutability status—Cyclops wipes non-immutable ReFS).
Employ shadow-copy check (vssadmin list shadows then ShadowExplorer) before wiping host—Cyclops sometimes neglects mounts smaller than 128 GB.

4. Other Critical Information

Unique Characteristics:
• Anti-RE Measures: Uses the AveMaria “Amnesty” VM-detect to worm out of analysis via cpuid(0x40000001) == ‘VMware\0’.
• Double-Extortion: 48-h countdown timer inside HTML ransom note; after 72 h all marked files uploaded to Mega.nz link revealed to victim.
• No Ransom Demand Page: The chat is only via TOX ID & ProtonMail (mailto:[email protected]).

Broader Impact:
• Healthcare sector hardest hit; forced one US blood-diagnostics lab offline for six days and triggered FDA Safety Notice #URG-2024-012.
• Insurance underwriters are re-calculating ransomware losses in life-sciences vertical—expect premium increases > 12 % year-over-year.
• Cyclops affiliate program caps ransom at USD 1.5 M (lower ceiling than LockBit), encouraging mid-tier SMEs to pay quickly.

Quick-Start Checklist

If you have isolated evidence (memory dump, ransom note, encrypted file ≤ 1 MB), submit to: [email protected] with subject Cyclops #[date].