New Cylance Ransomware strain emerges, experts speculate about its notorious members

Visual representation of ransomware by showing encrypted files on a display
(Image credit: Shutterstock)

A new ransomware strain with the name 'Cylance Ransomware' has been unearthed by security researchers, in what could be a new lease of life for long-time threat actors.

Samples of the ransomware's payload have already been collected after successful attacks were launched on unnamed victims.

The Unit 42 threat intelligence division of Palo Alto Networks revealed the existence of the Cylance strain in the early hours of Friday morning, saying that it appears to be targeting both Windows and Linux machines.

Little information exists at present on the tactics or reach of Cylance, though it appears that the strain has emerged recently.

The ransom note left to victims has been published, including details of the threat actors' email addresses but not the ransom itself. The sum will most likely be revealed to the victim after they make contact with the attackers.

"All your files are encrypted, and currently unusable, but you need to follow our instructions. Otherwise, you can't return your data (never)," the note read.

"It's just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. It's not in our interests.

"To check the ability of returning files, we decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, it does not matter. But you will lose time and data, cause just we have the private key. time is more valuable than money."

The attackers also warn against attempting to change or restore files themselves, as it may damage their private key left by the attackers which could supposedly lead to data being lost forever.

Screenshots of the ransomware revealed a standard attack methodology in which files are encrypted and appended with a ‘.Cylance’ extension. A text document named ‘Read Me’ is also added to all affected file folders, containing the demands of the threat actor.

Users were quick to note that the threat group has copied the name of BlackBerry’s cyber security firm Cylance, which has long worked to prevent ransomware attacks on enterprises. The precise reasoning behind the name is not clear.

Who is behind CylanceRansomware?

New ransomware groups are often met with speculation by security researchers, who try to link them to known regions or former threat groups in order to get a bearing on their potential motivations and methodologies.

In a tweet, security expert Paul Melson suggested that the REvil ransomware group could be behind Cylance Ransomware as part of a “grudge”. He capitalised letters spelling out “REvil” in the tweet, heavily implying that he suspects the groups to be one and the same.

There is little to materialy connect Cylance and REvil, other than the fact that Cylance conducted research to identify and share REvil telemetry in the course of its security operations.

Renzon Cruz, principal consultant of response and forensics at Unit 42 told IT Pro that at present Cylance Ransomware shows no sign of code reuse from REvil.

The group, otherwise known as ‘Sodinokibi’, is a ransomware as a service (RaaS) gang with a long history of infamous attacks.

It has also gone through periods of intense activity and periods of downtime, with the later assumed to be a tactic to evade capture.


Enabling secure hybrid learning

Cyber security in Higher Education


The group was responsible for the devastating ransomware attack on Travelex in 2020, and separately demanded a $70 million ransom in the wake of a large supply chain attack on IT management software Kaseya.

In November 2021, international law enforcement agencies arrested a number of REvil gang members and shortly afterwards it was reported that US federal agencies had forced REvil servers offline.

Suspects were also arrested by Russian authorities, in a move that some experts dubbed “politically motivated”.

By April 2022, the group had apparently recouped members enough to resurface with a new ransomware operation, as researchers discovered REvil infrastructure back online. These suspicions were confirmed after the group claimed an attack on Chinese electricals manufacturer Midea Group, and dumped large amounts of stolen data online.

If REvil has started a parallel operation in the form of Cylance Ransomware, security teams could find success by putting in place preventative measures that worked on REvil in the past.

Unlike REvil, Cylance Ransomware does not appear to follow a double extortion model. This is when a company’s data is stolen by a ransomware group in addition to being encrypted, and the firm is asked to pay a sum or face its data being leaked online.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at or on LinkedIn.