Crosslock
Parsing : Enabled
Description
CrossLock ransomware was first observed in April 2023, targeting an IT services firm in Brazil using a double‑extortion approach—encrypting data and threatening to leak it publicly. Written in Go, it uses a hybrid encryption scheme combining ChaCha20 for file encryption with Curve25519 for key protection. Victims see their files renamed with the .crlk extension and ransom notes titled ---CrossLock_readme_To_Decrypt---.txt. The malware includes advanced techniques like Event Tracing for Windows (ETW) bypass and process mimicking (e.g., Cybereason processes) for stealth. It was publicly tracked until July 2023, after which activity (and its leak site) went offline.
| External Analysis |
| https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/crosslock |
| https://www.sentinelone.com/anthology/crosslock/ |
| https://www.netskope.com/blog/netskope-threat-coverage-crosslock-ransomware |
| https://cyble.com/blog/crosslock-ransomware-emerges-new-golang-based-malware-on-the-horizon |
| https://rewterz.com/rewterz-threat-alert-crosslock-ransomware-active-iocs |
| Tox |
| 8F0E308CB4D9F1F3F80EC93A4C566B8CFCCAB0967F0637C00ED3079C37235652A64B21A7070E |
| Urls |
Screen |
| http://crosslock5cwfljbw4v37zuzq4talxxhyavjm2lufmjwgbpfjdsh56yd.onion/ |
Screen |
Posts
| Date |
Title |
Description |
Screen |
| 2023-04-17 |
validcertificadora.com.br |
VALID Certificadora Digital Ltda is a company that operates in the Farming industry. It employs 501-1,000 people and has $100M-$250M of revenue. The company is headquartered in São Paulo, Sp, Braz... |
|