{"id":2466,"date":"2024-09-25T18:28:11","date_gmt":"2024-09-25T18:28:11","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2466"},"modified":"2025-07-29T03:50:18","modified_gmt":"2025-07-29T03:50:18","slug":"cyron-the-latest-player-in-the-ransomware-game","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/cyron-the-latest-player-in-the-ransomware-game\/","title":{"rendered":"Cyron: The latest player in the ransomware game"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Yet another strain of Ransomware has been discovered plaguing victims, highlighting how popular this malware flavour has become with criminals. This time around, the strain has been dubbed \u2018Cyron\u2019 as it encrypts all user files with a .cyron extension before turning off the system and finally making the desktop un-usable.

Cyron is distributed primarily via spam mails and malicious email attachments. The ransomware message demands a 50 euro payment via PaySafeCard to restore user files.

Delivery:<\/strong> While this new strain spreads mainly through email attachments, the attachments themselves vary widely. We have so far seen loaders, droppers, Trojans and malicious macros in Microsoft Office documents used to deliver the payload.

Additionally, Cyron can also be present in the form of a JavaScript code embedded with malicious links. 

File Details:<\/strong>
<\/p>\n\n\n\n


File Name
<\/td>
Cyron.exe
<\/td><\/tr>

File type
<\/td>
Portable Executable (PE) file
<\/td><\/tr>

Md5 hash
<\/td>
ff9dc25128897a3f1a4659422b6f0ada
<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static Analysis:<\/strong>

Below we see the registry keys the malware deletes upon execution:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

During this process, it drops an error.pdb file:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next, Cyron gathers information about the victim PC using strings like get_count, get_capacity, get_Item, and get_User \u2013 the images below show the complete set of strings. Once complete, Cyron automatically saves its settings using the AutoSaveSettings string, before powering off the target machine using the ShutdownMode string:\u00a0\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

\"\"Below we see the specific strings responsible for encrypting the victim\u2019s data:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Cyron also drops the two below files, which we believe could allow the attackers to execute malicious functions in memory locations.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0Code Analysis:<\/strong>

The following code analysis shows Cyron encrypting the victim\u2019s Desktop files: \u00a0
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


\"\"Using the below functions:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



Next, all files in the \u201cDownloads\u201d folder are also encrypted:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Here we see the creation of the encryption key:\u00a0

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\"\"Cyron also checks the computer name, OS, and antivirus installed on the target machine:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Before contacting the following domain:\u00a0
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Below, we see the domain has hosted malicious content in the past:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The next few images show the creation of the ransom message:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

\"\"Now we have the final steps of Cyron\u2019s installation:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n


The following files are then dropped:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



Which encrypts all files on the target machine with the .cyron extension\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



As an interesting side note, we also witnessed some VM detection techniques. These allow Cyron to avoid executing if it is opened in a sandbox environment:\u00a0<\/p>\n\n\n\n

\"\"<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once Cyron successfully executes, below is what the victim sees:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


CONCLUSION<\/strong>

When you think about, cyber criminals like those behind Cyron rely on their victim\u2019s infecting themselves. Time and time again, phishing campaigns are the favoured delivery method because people keep opening attachments from suspicious sources.\u00a0

As long as people keep shooting themselves in the foot like this, ransomware isn\u2019t going anywhere. Unfortunately, in many cases, the encryption algorithms used in these attacks are too advanced to be decrypted without paying the culprits. It\u2019s an old clich\u00e9, but prevention is better than cure. Don\u2019t open attachments or click on links from unknown senders and you\u2019ll have greatly reduced your exposure to ransomware.



<\/p>\n","protected":false},"excerpt":{"rendered":"

Yet another strain of Ransomware has been discovered plaguing victims, highlighting how popular this malware flavour has become with criminals. This time around, the strain has been dubbed ‘Cyron’ as it encrypts all user files with a .cyron extension before turning off the system and finally making the desktop un-usable. Cyron is distributed primarily via […]<\/p>\n","protected":false},"author":1,"featured_media":2492,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2466","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2466"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2466\/revisions"}],"predecessor-version":[{"id":4260,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2466\/revisions\/4260"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2492"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}