Cyber Threat Actor: CrossLock
| Actor Type | Location | Known Incidents |
Criminal
|
Brazil
|
3 incidents |
|---|
Profile
CrossLock is a ransomware group that operates under the alias CrossLock and has been identified as being based in Brazil. The group first came to public attention through its claim of responsibility for an attack on a Brazilian digital certificate issuer in mid‑April 2023. It presents itself as an established actor rather than a newly emerged threat, noting that it is not a new group in the ransomware landscape.
The group’s known activity shows a focus on entities that manage digital trust services, as demonstrated by the compromise of Valid Certificadora Digital, a Brazilian firm that issues SSL certificates for businesses and public institutions. The attack was confined to a single victim in Brazil, indicating a regional focus on Brazilian organizations at least in this observed case. CrossLock’s stated objectives appear to be financial, seeking both a ransom payment from the victim and the subsequent sale of the stolen valid certificates to other criminal actors for use in signing malware.
In terms of tactics, CrossLock employed ransomware that encrypts files using the ChaCha20 algorithm combined with elliptic‑curve cryptography (ECC) for key management. The attackers exfiltrated a range of sensitive data, including SSL certificates, server databases, documents, and images, before leaking a portion of the stolen material to pressure the victim. They communicated directly with the victim, reported that negotiation attempts were made but no agreement was reached, and threatened to sell the certificates to gangs interested in signing malicious tools unless the ransom was paid. These observed behaviors constitute the currently verified TTPs associated with CrossLock.
