Threat Actor Profile
Low
Cybercriminal
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (10)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': None,
'firstseen': '2023-04-17T17:00:38.913266+00:00',
'group': 'crosslock',
'has_negotiations': False,
'has_ransomnote': False,
'lastseen': '2023-04-17T17:00:38.913266+00:00',
'locations': [{'available': False,
'fqdn': 'crosslock5cwfljbw4v37zuzq4talxxhyavjm2lufmjwgbpfjdsh56yd.onion',
'slug': 'http://crosslock5cwfljbw4v37zuzq4talxxhyavjm2lufmjwgbpfjdsh56yd.onion',
'title': 'Cross Lock - Data leak',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': False,
'locations': [{'available': False,
'fqdn': 'crosslock5cwfljbw4v37zuzq4talxxhyavjm2lufmjwgbpfjdsh56yd.onion',
'slug': 'http://crosslock5cwfljbw4v37zuzq4talxxhyavjm2lufmjwgbpfjdsh56yd.onion',
'title': 'Cross Lock - Data leak',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'ransomware_live_group': 'crosslock',
'tools': {},
'url': 'https://www.ransomware.live/group/crosslock',
'victims': 1,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'sub_technique': {'sub_technique_id': 'T1059.003',
'sub_technique_name': 'Windows '
'Command '
'Shell'},
'technique_details': 'Utilizes the Windows Command '
'Shell for execution.',
'technique_id': 'T1059',
'technique_name': 'Command and Scripting '
'Interpreter'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'sub_technique': {'sub_technique_id': 'T1055.012',
'sub_technique_name': 'Process '
'Hollowing'},
'technique_details': 'Employs process hollowing to '
'evade detection.',
'technique_id': 'T1055',
'technique_name': 'Process Injection'},
{'sub_technique': {'sub_technique_id': 'T1070.001',
'sub_technique_name': 'Clear '
'Windows '
'Event '
'Logs'},
'technique_details': 'Clears Windows event logs to '
'remove evidence.',
'technique_id': 'T1070',
'technique_name': 'Indicator Removal'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'sub_technique': {'sub_technique_id': 'T1548.002',
'sub_technique_name': 'Bypass '
'User '
'Account '
'Control'},
'technique_details': 'Bypasses User Account Control '
'(UAC) to escalate privileges.',
'technique_id': 'T1548',
'technique_name': 'Abuse Elevation Control '
'Mechanism'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'Discovers system services '
"running on the victim's "
'machine.',
'technique_id': 'T1007',
'technique_name': 'System Service Discovery'},
{'technique_details': 'Enumerates running processes '
"on the victim's system.",
'technique_id': 'T1057',
'technique_name': 'Process Discovery'},
{'technique_details': 'Enumerates files and '
"directories on the victim's "
'system.',
'technique_id': 'T1083',
'technique_name': 'File and Directory Discovery'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'sub_technique': {'sub_technique_id': 'T1021.002',
'sub_technique_name': 'SMB/Windows '
'Admin '
'Shares'},
'technique_details': 'Uses SMB/Windows Admin Shares '
'to move laterally within the '
'network.',
'technique_id': 'T1021',
'technique_name': 'Remote Services'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': "Encrypts data on the victim's "
'system to extort payment.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'},
{'technique_details': 'Deletes volume shadow copies '
'to prevent system recovery.',
'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'}]}],
'url': 'https://www.ransomware.live/group/crosslock',
'victims': 1,
'vulnerabilities': []}