Open-Source Cryptor Cryptonite Became a Wiper due to a Bug

open source cryptor Cryptonite

Fortinet researchers studied the recently appeared open-source cryptor Cryptonite, distributed for free on GitHub.

It turned out that the creator of the malware made a mistake in the code, and the malware did not encrypt, but destroyed the data of the victims.

Let me remind you that we also wrote about FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations, as well as Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years.

Unlike other ransomware, Cryptonite was not sold on the darknet, but was distributed openly: it was published on GitHub by someone under the nickname CYBERDEVILZ (since then, the source code of the malware and its forks have already been removed).

open source cryptor Cryptonite

The researchers say that the malware written in Python was extremely simple: it used the Fernet module to encrypt files and replaced their extension with .cryptn8.

The Cryptonite ransomware sample implements only basic ransomware functionality. The operator can set up a few things such as the exclusion list, server URL, email address, and bitcoin wallet. However, encryption and decryption are very simple and unreliable.

It also doesn’t provide any of the typical (but more sophisticated) ransomware features, such as:

  1. Removing Windows Shadow Copy
  2. Unlock files for more thorough exposure
  3. Anti-analysis
  4. Defensive evasion (bypass AMSI, disable event logging, etc.)

While this ransomware variant has given newcomers easy access to the cybercriminal business, it is not a serious tool.

However, something went wrong in the latest version of the malware: a sample of Cryptonite studied by experts blocked files beyond recovery, in fact, acting as a wiper.

The researchers say that the destructive behavior of the malware was not intended by its author. Rather, this is due to its low qualification, as errors in the code cause the program to crash when trying to display a ransom note (after the encryption process is completed).

The problem is that, due to the simple design of the ransomware program, after the program crashes (or even if it closes), it is no longer possible to recover encrypted files.the researchers explain.

open source cryptor Cryptonite

In addition, an error that occurs during the operation of the encryptor leads to the fact that the key used to encrypt files is not transmitted to the malware operator at all. That is, access to the victim’s data is blocked completely and permanently.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *