Open-source ransomware toolkit resurfaces as Accidental Wiper Malware

Share post:

Fortinet researchers observed a sample of malware with wiper capabilities in the wild created with the publicly available open-source ransomware toolkit, Cryptonite, due to its weak architecture and programming. It also revealed that it never displays the decryption window, instead acting as a wiper.

Cryptonite, which shares its name with a Chaos ransomware variant, is a ransomware kit that exists as FOSS (Free and Open-Source Software) and is available for download by anyone with the skills to deploy it rather than being available for sale on the criminal underground.

Cryptonite is written in Python and requires some configuration before it can be packaged and deployed. In order for the malware to function properly, a server must be configured and running to receive input from the executable running on the victim’s machine. The dynamic analysis of the code reveals that the ransomware crashes when it tries to use the tkinter library in the warningScreen() function.

The malware is packaged with PyInstaller, which includes all of the files required to run Python code on a given system. PyInstaller then places these files in a folder with a random name in the victim’s Windows Temp folder. PyInstaller checks for an active Internet connection and shuts down if one is not detected after depositing the necessary files and starting the Cryptonite process.

If an Internet connection is available, it will start encrypting the targeted system. It displays a screen indicating that it is attempting to download a software update, followed by a status bar displaying the installation percentage, which is merely a ruse. Initially, Cryptonite is searching through the system for files to encrypt. This can be demonstrated using a snippet of code. Eventually , it allows some basic configurations, such as changing the exclusion list, server URL, email address, and bitcoin wallet.

Experts also reported an increase in ransomware that has been intentionally converted into wiper malware; this malicious code is primarily used in politically motivated campaigns.

The sources for this piece include an article in TheHackerNews.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways