A version of an open-source ransomware toolkit called Kryptonite has been spotted in the wild with wiping capabilities due to its “poor architecture and programming.”
Unlike other ransomware variants, Kryptonite is not available to cybercriminal underground markets and was instead offered for free by an actor named CYBERDEVILZ through a GitHub repository until recently. The source code and its sub-branches have since been removed.
Written in Python, this malware uses the Fernet module from the cryptographic package to encrypt files with the “.cryptn8” extension.
But a new sample analyzed by Fortinet FortiGuard Labs has been discovered that locks files without any option to decrypt them again, essentially acting as a malicious data cleaner.
But this change is not an intentional act by the threat actor, but a lack of quality assurance that causes the program to crash when trying to display the ransom note after the encryption process is complete.
“The problem with this flaw is that due to the simplicity of the ransomware’s design if the program crashes — or even shuts down — there’s no way to recover the encrypted files,” Fortinet researcher Gergely Revay said in a report Monday.
An exception thrown during the execution of the ransomware means that the “key” used to encrypt the files is never passed on to the operators, thus depriving users of their data.
These findings come against the backdrop of an evolving ransomware landscape where cleaners disguised as file-encrypting malware are increasingly being used to overwrite data without permission to decrypt it.