YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation


The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.

In this blog entry, Trend Micro researchers will analyze YourCyanide, the latest variant of the CMD-based ransomware family that started with GonnaCope. YourCyanide is a sophisticated ransomware that integrates PasteBin, Discord, and Microsoft document links as part of its payload download routine. YourCyanide contains multiple layers of obfuscation and takes advantage of custom environment variables and the Enable Delayed Expansion function to hide its activities. As part of its evasion strategy, YourCyanide will also pass through different files, downloading the succeeding files via Discord and Pastebin with each step before eventually downloading the main payload.

Read more…
Source: Trend Micro