Contents:
Cryptonite open-source toolkit has been observed turning itself into a data wiper. The transformation is accidental, and it is caused by poor architecture and programming flaws.
The findings come amid a developing ransomware scenario in which wipers disguised as file-encrypting malware are increasingly being used to destroy data without permitting decryption.
Details About the Cryptonite Ransomware Toolkit
The Cryptonite toolkit is not for sale, being instead a publicly available open-source ransomware. It was provided for free by a threat actor named CYBERDEVILZ through a GitHub repository. Since then, the ransomware’s source code and its 41 forks have been taken down from GitHub.
“Written in Python, the malware employs the Fernet module of the cryptography package to encrypt files with a “.cryptn8” extension”, according to The Hacker News.
But this program is quite a basic ransomware with few functionalities.
The operator can configure a few things, such as an exclusion list, server URL, email address, and bitcoin wallet. However, the encryption and decryption are very simple and not robust.
The Transformation into a Wiper
Researchers at FortiGuard Labs discovered a sample of the Cryptonite ransomware toolkit that acts like a data wiper by locking files and never gives the option to decrypt them afterward.
But this was not the intention of the cybercriminals that designed the malware, these actions are caused by weak programming. The malware crashes after the encryption process when tries to deliver the ransom note
The ransomware was not intentionally turned into a wiper. Instead, the lack of quality assurance led to a sample that did not work correctly. The problem with this flaw is that due to the design simplicity of the ransomware if the program crashes—or is even closed—there is no way to recover the encrypted files.
The Cryptonite ransomware never sends the decryption key to the operator, instead, it re-encrypts everything using a different key each time it is executed before offering decryption to the victim, effectively locking users out of their data.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.