Due to its “poor design and programming,” a variant of the open source Cryptonite ransomware toolkit has been seen in the wild with wiper capabilities. The original source code and its branches were later removed.
Unlike other ransomware strains, Cryptonite was previously distributed for free through a GitHub repository by an individual going by the moniker of CYBERDEVILZ. The malware, which is written in Python, uses the Fernet module of the cryptography package to encrypt files with the “.cryptn8” extension.
However, a fresh sample examined by Fortinet FortiGuard Labs was discovered to encrypt files and lock them without allowing for their decryption, basically acting as a harmful data wiper.
The programme crashes when attempting to display the ransom note after the encryption procedure is complete, therefore this alteration isn’t the result of the threat actor making a purposeful change. Instead, it results from a lack of quality assurance.
The ransomware program’s exception-throwing behaviour also prevents operators from ever receiving the “key” that was used to encrypt the files, denying them access to their data.
The discoveries are set against a backdrop of a changing ransomware landscape where wipers disguising themselves as malware that encrypts files are being used more frequently to destroy data without allowing for decryption.
“The problem with this flaw is that due to the design simplicity of the ransomware if the program crashes — or is even closed — there is no way to recover the encrypted files,” Fortinet researcher Gergely Revay said.