New Cylance Ransomware strain emerges, experts speculate about its notorious members
The emerging threat actor shares the name of Blackberry's cyber security spinoff for unknown reasons


A new ransomware strain with the name 'Cylance Ransomware' has been unearthed by security researchers, in what could be a new lease of life for long-time threat actors.
Samples of the ransomware's payload have already been collected after successful attacks were launched on unnamed victims.
The Unit 42 threat intelligence division of Palo Alto Networks revealed the existence of the Cylance strain in the early hours of Friday morning, saying that it appears to be targeting both Windows and Linux machines.
Little information exists at present on the tactics or reach of Cylance, though it appears that the strain has emerged recently.
The ransom note left to victims has been published, including details of the threat actors' email addresses but not the ransom itself. The sum will most likely be revealed to the victim after they make contact with the attackers.
"All your files are encrypted, and currently unusable, but you need to follow our instructions. Otherwise, you can't return your data (never)," the note read.
"It's just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. It's not in our interests.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"To check the ability of returning files, we decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, it does not matter. But you will lose time and data, cause just we have the private key. time is more valuable than money."
The attackers also warn against attempting to change or restore files themselves, as it may damage their private key left by the attackers which could supposedly lead to data being lost forever.
Screenshots of the ransomware revealed a standard attack methodology in which files are encrypted and appended with a ‘.Cylance’ extension. A text document named ‘Read Me’ is also added to all affected file folders, containing the demands of the threat actor.
Users were quick to note that the threat group has copied the name of BlackBerry’s cyber security firm Cylance, which has long worked to prevent ransomware attacks on enterprises. The precise reasoning behind the name is not clear.
Who is behind CylanceRansomware?
New ransomware groups are often met with speculation by security researchers, who try to link them to known regions or former threat groups in order to get a bearing on their potential motivations and methodologies.
In a tweet, security expert Paul Melson suggested that the REvil ransomware group could be behind Cylance Ransomware as part of a “grudge”. He capitalised letters spelling out “REvil” in the tweet, heavily implying that he suspects the groups to be one and the same.
There is little to materialy connect Cylance and REvil, other than the fact that Cylance conducted research to identify and share REvil telemetry in the course of its security operations.
Renzon Cruz, principal consultant of response and forensics at Unit 42 told IT Pro that at present Cylance Ransomware shows no sign of code reuse from REvil.
The group, otherwise known as ‘Sodinokibi’, is a ransomware as a service (RaaS) gang with a long history of infamous attacks.
It has also gone through periods of intense activity and periods of downtime, with the later assumed to be a tactic to evade capture.
RELATED RESOURCE
The group was responsible for the devastating ransomware attack on Travelex in 2020, and separately demanded a $70 million ransom in the wake of a large supply chain attack on IT management software Kaseya.
In November 2021, international law enforcement agencies arrested a number of REvil gang members and shortly afterwards it was reported that US federal agencies had forced REvil servers offline.
Suspects were also arrested by Russian authorities, in a move that some experts dubbed “politically motivated”.
By April 2022, the group had apparently recouped members enough to resurface with a new ransomware operation, as researchers discovered REvil infrastructure back online. These suspicions were confirmed after the group claimed an attack on Chinese electricals manufacturer Midea Group, and dumped large amounts of stolen data online.
If REvil has started a parallel operation in the form of Cylance Ransomware, security teams could find success by putting in place preventative measures that worked on REvil in the past.
Unlike REvil, Cylance Ransomware does not appear to follow a double extortion model. This is when a company’s data is stolen by a ransomware group in addition to being encrypted, and the firm is asked to pay a sum or face its data being leaked online.

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.
-
How to implement a four-day week in tech
In-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businesses
In-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs