{"id":6031,"date":"2022-12-10T01:12:22","date_gmt":"2022-12-09T21:42:22","guid":{"rendered":"http:\/\/uucert.com\/en\/?p=6031"},"modified":"2022-12-14T11:35:50","modified_gmt":"2022-12-14T08:05:50","slug":"%d8%aa%d8%a8%d8%af%db%8c%d9%84-%d8%a8%d8%a7%d8%ac-%d8%a7%d9%81%d8%b2%d8%a7%d8%b1-%d9%85%d8%aa%d9%86-%d8%a8%d8%a7%d8%b2-cryptonite-%d8%a8%d9%87-%d8%a8%d8%af%d8%a7%d9%81%d8%b2%d8%a7%d8%b1-%d9%be%d8%a7","status":"publish","type":"post","link":"http:\/\/uucert.com\/en\/\u0628\u0627\u06cc\u06af\u0627\u0646\u06cc\/6031","title":{"rendered":"Converting Cryptonite Open Source Ransomware to Random Cleaner Malware"},"content":{"rendered":"<p>A version of an open-source ransomware toolkit called Kryptonite has been spotted in the wild with wiping capabilities due to its &#8220;poor architecture and programming.&#8221;<\/p>\n<p>Unlike other ransomware variants, Kryptonite is not available to cybercriminal underground markets and was instead offered for free by an actor named CYBERDEVILZ through a GitHub repository until recently. The source code and its sub-branches have since been removed.<\/p>\n<p>\u00a0<\/p>\n<p><br \/>Written in Python, this malware uses the Fernet module from the crypto package to encrypt files with the &#8220;.cryptn8&#8221; extension.<\/p>\n<p>But a new sample analyzed by Fortinet FortiGuard Labs has been discovered that locks files without any option to decrypt them again, essentially acting as a malicious data cleaner.<\/p>\n<p>But this change is not an intentional act by the threat actor, but a lack of quality assurance that causes the program to crash when trying to display the ransom note after the encryption process is complete.<\/p>\n<p>\u00a0<\/p>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"728\" height=\"189\" src=\"http:\/\/uucert.com\/en\/wp-content\/uploads\/key.webp\" alt=\"\" class=\"wp-image-6032\" srcset=\"http:\/\/uucert.com\/en\/wp-content\/uploads\/key.webp 728w, http:\/\/uucert.com\/en\/wp-content\/uploads\/key-300x78.webp 300w, http:\/\/uucert.com\/en\/wp-content\/uploads\/key-100x26.webp 100w\" sizes=\"auto, (max-width: 728px) 100vw, 728px\" \/><\/figure>\n<\/div>\n\n\n<p>&#8220;The problem with this flaw is that due to the simplicity of the ransomware&#8217;s design, if the program crashes \u2014 or even closes \u2014 there&#8217;s no way to recover the encrypted files,&#8221; Fortinet researcher Gergely Revay said in a report Monday.<\/p>\n<p>An exception thrown during the execution of the ransomware means that the &#8220;key&#8221; used to encrypt the files is never passed on to the operators, thus depriving users of their data.<\/p>\n<p>These findings come against the backdrop of an evolving ransomware landscape, where erasers disguised as file-encrypting malware are increasingly being used to overwrite data without permission to decrypt it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A version of an open-source ransomware toolkit called Kryptonite has been spotted in the wild with wiping capabilities due to its &#8220;poor architecture and programming.&#8221; Unlike other ransomware variants, Kryptonite is not available to cybercriminal underground markets and was instead offered for free by an actor named CYBERDEVILZ through a GitHub repository until recently. The source code and its sub-branches have since been removed. \u00a0 Written in Python, this malware uses the Fernet module from the crypto package to encrypt files with the &#8220;.cryptn8&#8221; extension. But a new sample analyzed&hellip;<\/p>\n","protected":false},"author":1,"featured_media":6033,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,37,52,19],"tags":[],"class_list":["post-6031","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-16","category-37","category-trends","category-19"],"gutentor_comment":0,"_links":{"self":[{"href":"http:\/\/uucert.com\/en\/wp-json\/wp\/v2\/posts\/6031","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/uucert.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/uucert.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/uucert.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/uucert.com\/en\/wp-json\/wp\/v2\/comments?post=6031"}],"version-history":[{"count":6,"href":"http:\/\/uucert.com\/en\/wp-json\/wp\/v2\/posts\/6031\/revisions"}],"predecessor-version":[{"id":6106,"href":"http:\/\/uucert.com\/en\/wp-json\/wp\/v2\/posts\/6031\/revisions\/6106"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/uucert.com\/en\/wp-json\/wp\/v2\/media\/6033"}],"wp:attachment":[{"href":"http:\/\/uucert.com\/en\/wp-json\/wp\/v2\/media?parent=6031"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/uucert.com\/en\/wp-json\/wp\/v2\/categories?post=6031"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/uucert.com\/en\/wp-json\/wp\/v2\/tags?post=6031"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}