Threat Research

Ransomware Roundup: Cryptonite Ransomware

By Shunichi Imano and James Slaughter | November 23, 2022

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition of the Ransomware Roundup covers Cryptonite ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

Cryptonite Ransomware Overview

Cryptonite (not to be confused with the Chaos ransomware variant, also named Cryptonite) is a ransomware kit that exists as FOSS (Free and Open-Source Software). Unusually, it is available to download by anyone with the skills to deploy it (as opposed to being available for sale on the criminal underground).

Figure 1. Cryptonite’s web page and benefits.

Cryptonite is coded in Python and requires some configuration ahead of being packaged and made ready for deployment. In addition, a server must also be configured and running to receive input from the executable running on a victim’s machine for the malware to work properly.

Figure 2. Cryptonite’s configuration requirements.

As seen in Figure 1, the commented text suggests using the provided exeGen Python script to make the initial configuration easier. Items that need to be provided are typical ransomware requirements, such as a Bitcoin wallet address with the amount of Bitcoin to ransom, a contact e-mail so victims can obtain a decryption key, and a configurable file extension for the encrypted files.

Also, a list of directories to avoid encrypting can be seen. This is required to prevent making the system inoperable and voiding the possibility of someone paying the ransom.

Figure 3. exeGen.py script providing options for building and packaging the Cryptonite executable.

The exeGen script prevents the prospective threat actor from having to edit the source code themselves by allowing them to change the configuration via a handy GUI.

As seen in the figure above, there is a field labeled “NGROK URL:”. This refers to the requirement for an attacker to set up and use NGrok, which is effectively a legitimate reverse proxy service that many companies use to test their development systems. It makes it appear that the local infrastructure is attached to a sub-domain of “ngrok.com” and not the attacker’s actual location and IP address.

Figure 4. Python Code for the Cryptonite server class showing items of interest to be retrieved.

This NGrok requirement is for the Cryptonite server component, which is simply a basic Python web server attached to an SQL Lite database. It listens for victim machines that are reporting in and captures things like a unique ID for victims along with their IP address and general location.

 

Cryptonite Ransomware Execution

Coding in Python makes development very fast and easy. However, because it is an interpreted language, the Python interpreter must be installed on any machine attempting to run a script. Since this cannot be guaranteed, Cryptonite is packaged using PyInstaller, which contains all the necessary files to deploy Python code on a given system.

PyInstaller initially deposits these files in a randomly named folder in the victim’s Windows Temp folder.

Figure 5. PyInstaller depositing files into the Windows Temp folder.

 

Once PyInstaller has deposited the necessary files and kicked off the Cryptonite process, it checks for an active Internet connection and shuts down if one is not detected.

Figure 6. Cryptonite will throw an error if an active Internet connection is not present.

If an Internet connection is present, it begins encrypting the targeted system. It presents a screen indicating that it is attempting to download a software update, followed by a status bar showing the percentage of the installation. This, however, is just a decoy and does not represent what the software is doing.

Figure 7. Cryptonite will present a terminal showing an update's false download and installation.

In actuality, Cryptonite is searching through the system, looking for files to encrypt. This can be demonstrated with a snippet of the code used. Note the matching strings from Figure 7.

Figure 8. Actual activities while Cryptonite is “Installing Updates.”

The method Cryptonite uses to encrypt files is via the Python Cryptography module. It uses an implementation of Fernet (https://cryptography.io/en/latest/fernet/) to provide 128-bit AES against the whole of a targeted file.

Figure 9. Python import section showing Fernet.

Encrypted files have their extensions changed to “.cryptn8” by default. However, as Figure 3 shows, this could be configured to anything should the attacker choose to change it.

Figure 10. Encrypted files on a victim system.

Once all files have been encrypted, Cryptonite tries to identify where the victim is in the world from their IP address using “ipinfo.io” and attempts to phone home. It connects to the aforementioned “ngrok.io” to pass the victim’s details back to the attacker.

Figure 11. Cryptonite’s outbound connections.

Finally, a ransom window is created on the victim’s device that contains the attacker’s details, as shown in Figure 3.

Figure 12. Ransom window

The victim can enter their decryption key should they contact the attacker and pay the ransom (and if the attacker chooses to provide the key.) Contrary to the warning, there does not appear to be any restrictions on the number of times an incorrect key can be entered. The victim will, however, receive the following error message.

Figure 13. The error presented after an incorrect decryption key is entered.

Fortinet Protection

Fortinet customers are already protected from this malware variant through FortiGuard’s Web Filtering, AntiVirus, and FortiEDR services, as follows:

FortiGuard Labs detects known Cryptonite ransomware variants with the following AV signatures:

  • W32/Filecoder.KY!tr
  • W32/Filecoder.KY!tr.ransom

IOCs

  • 3b68780719010fc195e6e4f8d1b912030259cb1cddde5a943e44da558222060f
  • 4e86d727ded7ba6c42109262bdf8cb72ae13303769d07995f99e20de3f2ce7ae
  • 7508e8b8054a2f773bb20082460a5e2fb224675c7c5c95a7a7006abf921eaf95
  • 81[.]59[.]117[.]34[.]bc[.]googleusercontent[.]com
  • ec2-3-125-223-134.eu-central-1[.]compute[.]amazonaws[.]com
  • e4c0660414bf[.]eu[.]ngrok[.]io

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.