Open Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware


Dec 06, 2022Ravie LakshmananEndpoint Security / Data Security

A version of an open source ransomware toolkit called Cryptonite has been observed in the wild with wiper capabilities due to its “weak architecture and programming.”

Cryptonite, unlike other ransomware strains, is not available for sale on the cybercriminal underground, and was instead offered for free by an actor named CYBERDEVILZ until recently through a GitHub repository. The source code and its forks have since been taken down.

Written in Python, the malware employs the Fernet module of the cryptography package to encrypt files with a “.cryptn8” extension.


But a new sample analyzed by Fortinet FortiGuard Labs has been found to lock files with no option to decrypt them back, essentially acting as a destructive data wiper.

But this change isn’t a deliberate act on part of the threat actor, but rather stems from a lack of quality assurance that causes the program to crash when attempting to display the ransom note after completing the encryption process.

Open Source Ransomware

“The problem with this flaw is that due to the design simplicity of the ransomware if the program crashes — or is even closed — there is no way to recover the encrypted files,” Fortinet researcher Gergely Revay said in a Monday write-up.

The exception thrown during the execution of the ransomware program also means that the “key” used to encrypt the files is never transmitted to the operators, thereby locking users out of their data.

The findings come against the backdrop of an evolving ransomware landscape where wipers under the guise of file-encrypting malware are being increasingly deployed to overwrite data without allowing for decryption.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT
Iran-Linked UNC1549 Hackers Target Middle East Aerospace & Defense Sectors
Authorities Claim LockBit Admin “LockBitSupp” Has Engaged with Law Enforcement
Deceptive AI content and 2024 elections – Week in security with Tony Anscombe
Five Eyes Warn of Ivanti Vulnerabilities Exploitation, Detection Tools Insufficient

Leave a Reply

Your email address will not be published. Required fields are marked *