CloudSEK’s contextual AI digital risk monitoring platform XVigil came across CMD-based Ransomware strain YourCyanide being exploited in the wild. YourCyanide uses Discord, Microsoft Office and Pastebin as part of its payload download mechanism by making Discord attachments and URL requests.

The actors behind this campaign leverage compromised email accounts, specifically Hotmail accounts and spam the malicious links within messages that look legitimate. The links are unique to each target and are linked to the download of a Microsoft Word document which contains an embedded powershell script.

YourCyanide then uses Powershell to spawn a virtual drive with the use of Sysinternals Disk2vhd and executes the ransomware payload, “your_cyanide.exe”. This drive is named “cyanide.”

A new virtual drive is created every time the script runs and it is named “cyanide” with its ID starting from 1 up to 65535. When the ransomware runs, it enacts the following actions on the system:

Enables debugging tools, including Windows Remote Management (WinRM) and Windows Event Log Explorer (WinELEVNT).

Disables Protected Mode for PowerShell in Task Manager.

Resets WMI service.

Clears S3 Amazon Web Services keys and configs inside EC2 Identity Pools in charge of database management and key-pair generation.

‍

Source: YourCyanide: An Investigation into ‘The Frankenstein’ Ransomware that Sends Malware Laced Love Letters - AlienVault - Open Threat Exchange