Open-source ransomware toolkit resurfaces as Accidental Wiper Malware

Share post:

Fortinet researchers observed a sample of malware with wiper capabilities in the wild created with the publicly available open-source ransomware toolkit, Cryptonite, due to its weak architecture and programming. It also revealed that it never displays the decryption window, instead acting as a wiper.

Cryptonite, which shares its name with a Chaos ransomware variant, is a ransomware kit that exists as FOSS (Free and Open-Source Software) and is available for download by anyone with the skills to deploy it rather than being available for sale on the criminal underground.

Cryptonite is written in Python and requires some configuration before it can be packaged and deployed. In order for the malware to function properly, a server must be configured and running to receive input from the executable running on the victim’s machine. The dynamic analysis of the code reveals that the ransomware crashes when it tries to use the tkinter library in the warningScreen() function.

The malware is packaged with PyInstaller, which includes all of the files required to run Python code on a given system. PyInstaller then places these files in a folder with a random name in the victim’s Windows Temp folder. PyInstaller checks for an active Internet connection and shuts down if one is not detected after depositing the necessary files and starting the Cryptonite process.

If an Internet connection is available, it will start encrypting the targeted system. It displays a screen indicating that it is attempting to download a software update, followed by a status bar displaying the installation percentage, which is merely a ruse. Initially, Cryptonite is searching through the system for files to encrypt. This can be demonstrated using a snippet of code. Eventually , it allows some basic configurations, such as changing the exclusion list, server URL, email address, and bitcoin wallet.

Experts also reported an increase in ransomware that has been intentionally converted into wiper malware; this malicious code is primarily used in politically motivated campaigns.

The sources for this piece include an article in TheHackerNews.

SUBSCRIBE NOW

Related articles

Cyber Security Today, May 24, 2024 – A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more

A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more. Welcome to Cyber Security...

Canada centralizing cybersecurity efforts of federal IT departments

Federal departments and agencies are making only marginal progress in improving their cyber maturity, Ottawa said Wednesday as...

Cyber Security Today, May 22, 2024 – LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more

LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more. Welcome to Cyber Security...

Google criticizes Microsoft’s security practices in new report

Google has publicly criticized Microsoft for a series of security missteps, suggesting that organizations might consider more secure...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways