Heimdal
Home > Cybersecurity News

Cryptonite Ransomware Toolkit Unintentionally Transforms into a Wiper

The Ransomware Never Offers the Decryption Key Do to Programming Flaws.

Last updated on December 6, 2022

article featured image

Contents:

Cryptonite open-source toolkit has been observed turning itself into a data wiper. The transformation is accidental, and it is caused by poor architecture and programming flaws.

The findings come amid a developing ransomware scenario in which wipers disguised as file-encrypting malware are increasingly being used to destroy data without permitting decryption.

Details About the Cryptonite Ransomware Toolkit

The Cryptonite toolkit is not for sale, being instead a publicly available open-source ransomware. It was provided for free by a threat actor named CYBERDEVILZ through a GitHub repository. Since then, the ransomware’s source code and its 41 forks have been taken down from GitHub.

“Written in Python, the malware employs the Fernet module of the cryptography package to encrypt files with a “.cryptn8” extension”, according to The Hacker News.

But this program is quite a basic ransomware with few functionalities.

The operator can configure a few things, such as an exclusion list, server URL, email address, and bitcoin wallet. However, the encryption and decryption are very simple and not robust.

Source

The Transformation into a Wiper

Researchers at FortiGuard Labs discovered a sample of the Cryptonite ransomware toolkit that acts like a data wiper by locking files and never gives the option to decrypt them afterward.

But this was not the intention of the cybercriminals that designed the malware, these actions are caused by weak programming. The malware crashes after the encryption process when tries to deliver the ransom note

The ransomware was not intentionally turned into a wiper. Instead, the lack of quality assurance led to a sample that did not work correctly. The problem with this flaw is that due to the design simplicity of the ransomware if the program crashes—or is even closed—there is no way to recover the encrypted files.

Source

The Cryptonite ransomware never sends the decryption key to the operator, instead, it re-encrypts everything using a different key each time it is executed before offering decryption to the victim, effectively locking users out of their data.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.

Related Articles

Double Extortion Ransomware: The New NormalMalware vs. Ransomware: Do You Know the Difference?What is Triple Extortion Ransomware? [2024 Update]Ransomware Explained. What It Is and How It Works

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V