Cronus: Ransomware Threatening Bodily Harm

This report analyses the Cronus .NET ransomware: it is delivered via a malicious PayPal-themed document that triggers PowerShell to load a Cronus DLL, which establishes persistence by copying to C:\Users\<USERNAME>\AppData\Local and adding a registry Run key, discovers and excludes specific folders/files, terminates targeted processes, and encrypts a wide range of file types (AES-256 CBC; larger files encrypted in three parts) while appending random 5-character extensions; the dropped ransom note demands US$500 in Bitcoin and claims data exfiltration but public telemetry suggests limited observed activity.