Ransomware Toolkit Cryptonite turning into an accidental wiper

Researchers spotted a version of the open-source ransomware toolkit Cryptonite that doesn’t support decryption capabilities.

Fortinet researchers discovered a sample of malware generated with the publicly available open-source ransomware toolkit Cryptonite that never offers the decryption window, turning it as a wiper. The experts also reported an increase in ransomware intentionally turned into wiper malware, these malicious code are mainly employed in politically-motivated campaigns.

The ransomware toolkit was published on GitHub by a threat actor that goes under the name CYBERDEVILZ. Fortinet noticed that after one of its Ransomware Roundup series the source code and its forks have since been taken down.

The researchers believe that the toolkit isn’t a serious tool, it only implements a limited set of ransomware functionalities.

The encryption and decryption are not robust and the ransomware lack features like Windows Shadow Copy removal, File unlocking for a more thorough impact, Anti-analysis, and Defensive evasion (AMSI bypass, disabling event logging, etc.).

The sample analyzed by the expert masquerades as a software update, it shows a progress bar that represents the progress of encryption.

The sample is written in python and is bundled with pyinstaller into an executable, static analysis of the code revealed that the authors removed a portion of code used to enumerate the filesystem breaking the program’s functionality.

The dynamic analysis of the code shows program crashes when the ransomware tries to use the tkinter library in the warningScreen()function.

“The traceback shows that the ransomware fails when it tries to use the tkinter library in the warningScreen()function. At this point in this ransomware, the encryption process has already finished. The warningScreen() should show the ransom note and allow the victim to start the decryption.” reads the analysis published by Fortinet. “We can now see that the ransomware was not intentionally turned into a wiper. Instead, the lack of quality assurance led to a sample that did not work correctly. The problem with this flaw is that due to the design simplicity of the ransomware if the program crashes—or is even closed—there is no way to recover the encrypted files.”

The malware uses the Fernet module of the cryptography package to encrypt files.

“This sample demonstrates how a ransomware’s weak architecture and programming can quickly turn it into a wiper that does not allow data recovery. Although we often complain about the increasing sophistication of ransomware samples, we can also see that oversimplicity and a lack of quality assurance can also lead to significant problems.” concludes the report. “On the positive side, however, this simplicity, combined with a lack of self-protection features, allows every anti-virus program to easily spot this malware.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cryptonite ransomware toolkit)

[adrotate banner=”5″]

[adrotate banner=”13″]