Crosslock Ransomware Group

Crosslock is a ransomware/extortion group operating a dark web leak site for victim data publication. This profile covers the group's operations, tactics, known campaigns, and defensive recommendations. This report provides Mjolnir Security's analysis of the group's operations, extortion model, known targeting, and recommended defenses.

Overview

Crosslock is a ransomware and/or data extortion operation tracked by Mjolnir Security. The group maintains a presence on the dark web where victim data is published to pressure payment. Operations typically involve double extortion: encrypting victim systems and threatening to leak stolen data.

Tactics & Techniques

Common MITRE ATT&CK techniques observed in ransomware operations like Crosslock:

Detection & Defense

Recommended defenses against Crosslock and similar ransomware groups:

• Offline backups: Maintain tested, immutable backups disconnected from production networks
• EDR/XDR: Deploy endpoint detection with behavioral ransomware protection and rollback
• Network segmentation: Limit lateral movement and isolate critical systems
• MFA everywhere: Enforce multi-factor authentication on all remote access and admin accounts
• Patch management: Prioritize patching of internet-facing appliances (VPN, Exchange, etc.)
• Incident response plan: Maintain and test a ransomware-specific IR playbook

How Mjolnir Security Can Help