A buggy new ransomware variant named Cyrat has been identified by a German security researcher. Targeting Windows systems and matching many new ransomware variants in an attempt to outsmart standard EDR tools is compiled in Python 3.7, the malicious payload poses as a DLL fixer and alerts users that a number of corrupted DLLs were found on the system. Once the malicious encryption process completes, the user is notified the corrupt DLLs have been repaired.
DLL Fix 2.5 – Responsible for Cyrat Infection
The research indicates in its’ current form, the malicious payload has a high probability of crashing due to a dependency on a particular pyfiglet font type. The German researcher needed to install the font type in order to prevent crashing and fully analyze the variant. Cyrat also uses Fernet, an symmetric encryption method, to encrypt files. Not commonly used by ransomware, Fernet can have issues with large files and may cause problems for the Threat Actor(s) behind Cyrat.
To maintain persistence on the target host, Cyrat copies itself to the Windows auto-start folder:
SpearTip regularly observes this file path in many versions of malware being utilized by a variety of malware for persistence. Cyrat adds a generic ransomware stock image as the wallpaper, drops a ransomware note in each affected directory, and appends the file extension .CYRAT to affected files. The variant also makes policy changes to affected hosts to disable CMD, Task Manager, and registry tools.
Wallpaper Stock Image Used by Cyrat
Although Cyrat ransomware has a number of bugs currently that will limit its impact in the short-term, SpearTip expects the developers behind the malware to continue to make improvements and Cyrat could wreak havoc in corporate networks in the near future.
SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.