Cylance Ransomware Family Emerges with Both Linux and Windows Versions


March 31, 2023

World map

A new ransomware family dubbed Cylance Ransomware by the developers has emerged touting both Windows and Linux targeting capabilities, with samples in the wild and indications that active attacks are underway.

“The Unit 42 threat intelligence division of Palo Alto Networks revealed the existence of the Cylance strain in the early hours of Friday morning, saying that it appears to be targeting both Windows and Linux machines,” IT Pro reports.

“Little information exists at present on the tactics or reach of Cylance, though it appears that the strain has emerged recently.”

Takeaway: Jon Miller, CEO and co-founder of Halcyon, views the emergence of this ransomware as part of a trend in which attackers are going after Linux systems:

"The emergence of yet another ransomware strain is not surprising. Ransomware operations will continue to come and go, but the imminent threat of ransomware will persist. While this new variant has a catchy name that mirrors a security product, it's just a branding ploy by the developers that does not have any real significance. What is interesting though is that this strain emerged with both Windows and Linux versions. While more groups have been developing Linux versions recently, not much attention has been paid to what this trend means for the ransomware threat landscape," said Jon Miller, CEO and co-founder of Halcyon.

"Groups like LockBit, IceFire, Black Basta, and Cl0p all have developed Linux targeting capabilities, which makes the likelihood of a really widespread, disruptive ransomware attack in the near future something to be concerned about. While Linux has a much smaller footprint than Windows systems overall, Linux arguably runs the most important system, including the vast majority of web servers, a good chunk of embedded and IoT devices used in manufacturing and energy, almost every smartphone and supercomputer, almost all of the US government and military systems, and pretty much all of the critical backbone systems in any large network."

Despite this, we barely see mention of Linux ransomware advancements in the media as they have been developed or in unique cases like the Cylance Ransomware where the Linux version was developed at the same time as the code for Windows. This is very unusual.

The takeaway here is that any organization running critical Linux distributions should start preparing to defend these systems that until recently were rarely targeted. Linux systems have very few security solution options available to adequately defend them, and virtually none that focus on stopping ransomware specifically.

The targeting of Linux systems has the potential to cause a serious disruption beyond the scale of what we saw in the Colonial Pipeline attack. The consequences of not redoubling our efforts to defend Linux systems could prove catastrophic. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.