Design Flaw Accidentally Turns Open-Source Ransomware Toolkit into Wiper Malware

Researchers discovered that an open-source ransomware toolkit was accidentally converted into a data wiper due to architecture and programming faults.

Unlike other types of ransomware, which are usually sold via underground channels, the Python-written toolkit, dubbed Cryptonite, was available for free on CYBERDEVILZ’s GitHub repository. Cryptonite used Python’s Fernet symmetric encryption module, appending the “.cryptn8” extension to ciphered documents. GitHub recently took Cryptonite’s source code and all of its forks.

Fortinet researchers discovered a sample of the ransomware that acted like a wiper malware strain. The sample initially worked as expected, encrypting documents and attaching its specific file extension. However, the malicious executable never displayed the ransom note nor the decryption dialog that could’ve allowed victims to recover their files.

Closer analysis revealed that, while the sample does generate an encryption key, it never sends it to the threat actors. Even worse, the program can’t run in a “decryption-only” mode; attempting to execute it repeatedly just re-encrypts documents with a different key.

Last but not least, the program permanently deletes the key when it closes or encounters an exception. Researchers agreed that the ransomware wasn’t deliberately turned into a wiper; poor architecture and a lack of quality assurance apparently triggered the sample’s malfunction.

“Although we often complain about the increasing sophistication of ransomware samples, we can also see that oversimplicity and a lack of quality assurance can also lead to significant problems,” Fortinet writes in a security advisory. “On the positive side, however, this simplicity, combined with a lack of self-protection features, allows every anti-virus program to easily spot this malware.”

Last month, several organizations in Ukraine were hit by Somnia, a new strain of ransomware. Like Cryptonite’s crooked sample, Somnia lacked decryption capabilities. However, Somnia’s operators intentionally disabled the decryption feature, turning it into a wiper to further damage compromised systems.

Dedicated software such as Bitdefender Ultimate Security can keep you safe from ransomware and other cyberthreats thanks to its extensive list of features, including:

• Multi-layer ransomware protection that prevents ransomware attacks from harming your documents, videos, pictures and music
• All-around, continuous data protection against Trojans, worms, viruses, zero-day exploits, ransomware, spyware and other e-threats
• Behavioral detection module that thoroughly monitors active apps on your system and takes instant action upon detecting suspicious activity
• Network threat prevention technology that scans for suspicious network-level activities and blocks them before they can harm you