Open-source ransomware toolkit resurfaces as Accidental Wiper Malware

Share post:

Fortinet researchers observed a sample of malware with wiper capabilities in the wild created with the publicly available open-source ransomware toolkit, Cryptonite, due to its weak architecture and programming. It also revealed that it never displays the decryption window, instead acting as a wiper.

Cryptonite, which shares its name with a Chaos ransomware variant, is a ransomware kit that exists as FOSS (Free and Open-Source Software) and is available for download by anyone with the skills to deploy it rather than being available for sale on the criminal underground.

Cryptonite is written in Python and requires some configuration before it can be packaged and deployed. In order for the malware to function properly, a server must be configured and running to receive input from the executable running on the victim’s machine. The dynamic analysis of the code reveals that the ransomware crashes when it tries to use the tkinter library in the warningScreen() function.

The malware is packaged with PyInstaller, which includes all of the files required to run Python code on a given system. PyInstaller then places these files in a folder with a random name in the victim’s Windows Temp folder. PyInstaller checks for an active Internet connection and shuts down if one is not detected after depositing the necessary files and starting the Cryptonite process.

If an Internet connection is available, it will start encrypting the targeted system. It displays a screen indicating that it is attempting to download a software update, followed by a status bar displaying the installation percentage, which is merely a ruse. Initially, Cryptonite is searching through the system for files to encrypt. This can be demonstrated using a snippet of code. Eventually , it allows some basic configurations, such as changing the exclusion list, server URL, email address, and bitcoin wallet.

Experts also reported an increase in ransomware that has been intentionally converted into wiper malware; this malicious code is primarily used in politically motivated campaigns.

The sources for this piece include an article in TheHackerNews.

Featured Tech Jobs



Related articles

Gartner debunks myths undermining cybersecurity success

Henrique Teixeira, Senior Director Analyst at Gartner, and Leigh McMullen, Distinguished VP Analyst at Gartner, highlighted and disproved...

Toyota discloses customer data breach

Toyota has disclosed that customer information from Japan and other countries in Asia and Oceania was publicly available...

Critical Vulnerability found in MOVEit

Progress Software has warned about a critical vulnerability in its popular file-transfer software, MOVEit, which could allow malicious...

Canadian Defence Minister concerned over increasing cyberattacks

Canadian Defence Minister Anita Anand has issued a warning that the country's key infrastructure is more vulnerable to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways