Fortinet researchers observed a sample of malware with wiper capabilities in the wild created with the publicly available open-source ransomware toolkit, Cryptonite, due to its weak architecture and programming. It also revealed that it never displays the decryption window, instead acting as a wiper.
Cryptonite, which shares its name with a Chaos ransomware variant, is a ransomware kit that exists as FOSS (Free and Open-Source Software) and is available for download by anyone with the skills to deploy it rather than being available for sale on the criminal underground.
Cryptonite is written in Python and requires some configuration before it can be packaged and deployed. In order for the malware to function properly, a server must be configured and running to receive input from the executable running on the victim’s machine. The dynamic analysis of the code reveals that the ransomware crashes when it tries to use the tkinter library in the warningScreen() function.
The malware is packaged with PyInstaller, which includes all of the files required to run Python code on a given system. PyInstaller then places these files in a folder with a random name in the victim’s Windows Temp folder. PyInstaller checks for an active Internet connection and shuts down if one is not detected after depositing the necessary files and starting the Cryptonite process.
If an Internet connection is available, it will start encrypting the targeted system. It displays a screen indicating that it is attempting to download a software update, followed by a status bar displaying the installation percentage, which is merely a ruse. Initially, Cryptonite is searching through the system for files to encrypt. This can be demonstrated using a snippet of code. Eventually , it allows some basic configurations, such as changing the exclusion list, server URL, email address, and bitcoin wallet.
Experts also reported an increase in ransomware that has been intentionally converted into wiper malware; this malicious code is primarily used in politically motivated campaigns.
The sources for this piece include an article in TheHackerNews.
