Ransomware - Cs-137

Cs-137
Decryptor Available
No
Description

If you're savvy in the sciences, you may recognize Cs-137 as Cesium-137, a radioactive isotope of cesium created as a byproduct of the fission of uranium-235 and uranium-238. However, this iteration of Cs-137 is a ransomware that appears to be in its infancy - its testing phase.  This is abundantly clear by the ransom note dropped and the behavior of the ransomware itself. It performs traditional file encryption and ransom note dropping, which comes as a text file and a wallpaper change (as seen in the ransom notes below). The ransom note is basic; it provides no information on how to pay a ransom, if possible. That's because, again, it's in the testing phase and hopefully doesn't go beyond that. The ransom note says an onion - a dark web extortion website - is coming soon. The ransomware encrypts files using ChaCha20, and changes encrypted file names to a random 10-alphanumeric character sequence with the original file extension unchanged.

Ransomware Type
Crypto-Ransomware
First Seen
Threat Actors
Type
Actor
Cybergroup
Cs-137 Group
Extortion Types
Direct Extortion
Pseudo-Extortion
Encryption
Type
Symmetric
Files
ChaCha20
File Extension
<random 10 alphanumeric characters>.<original extension>
Ransom Note Name
<random 6 letters>-README.txt
Wallpaper<random 5 numbers>.jpg
Samples (SHA-256)
cb72f6510d2be9441cae55788a6d31a8eb4b386e1b9ac1f3f8509ef3a1b83c80