On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This latest edition of the Ransomware Roundup covers Cryptonite ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High
Cryptonite (not to be confused with the Chaos ransomware variant, also named Cryptonite) is a ransomware kit that exists as FOSS (Free and Open-Source Software). Unusually, it is available to download by anyone with the skills to deploy it (as opposed to being available for sale on the criminal underground).
Cryptonite is coded in Python and requires some configuration ahead of being packaged and made ready for deployment. In addition, a server must also be configured and running to receive input from the executable running on a victim’s machine for the malware to work properly.
As seen in Figure 1, the commented text suggests using the provided exeGen Python script to make the initial configuration easier. Items that need to be provided are typical ransomware requirements, such as a Bitcoin wallet address with the amount of Bitcoin to ransom, a contact e-mail so victims can obtain a decryption key, and a configurable file extension for the encrypted files.
Also, a list of directories to avoid encrypting can be seen. This is required to prevent making the system inoperable and voiding the possibility of someone paying the ransom.
The exeGen script prevents the prospective threat actor from having to edit the source code themselves by allowing them to change the configuration via a handy GUI.
As seen in the figure above, there is a field labeled “NGROK URL:”. This refers to the requirement for an attacker to set up and use NGrok, which is effectively a legitimate reverse proxy service that many companies use to test their development systems. It makes it appear that the local infrastructure is attached to a sub-domain of “ngrok.com” and not the attacker’s actual location and IP address.
This NGrok requirement is for the Cryptonite server component, which is simply a basic Python web server attached to an SQL Lite database. It listens for victim machines that are reporting in and captures things like a unique ID for victims along with their IP address and general location.
Coding in Python makes development very fast and easy. However, because it is an interpreted language, the Python interpreter must be installed on any machine attempting to run a script. Since this cannot be guaranteed, Cryptonite is packaged using PyInstaller, which contains all the necessary files to deploy Python code on a given system.
PyInstaller initially deposits these files in a randomly named folder in the victim’s Windows Temp folder.
Once PyInstaller has deposited the necessary files and kicked off the Cryptonite process, it checks for an active Internet connection and shuts down if one is not detected.
If an Internet connection is present, it begins encrypting the targeted system. It presents a screen indicating that it is attempting to download a software update, followed by a status bar showing the percentage of the installation. This, however, is just a decoy and does not represent what the software is doing.
In actuality, Cryptonite is searching through the system, looking for files to encrypt. This can be demonstrated with a snippet of the code used. Note the matching strings from Figure 7.
The method Cryptonite uses to encrypt files is via the Python Cryptography module. It uses an implementation of Fernet (https://cryptography.io/en/latest/fernet/) to provide 128-bit AES against the whole of a targeted file.
Encrypted files have their extensions changed to “.cryptn8” by default. However, as Figure 3 shows, this could be configured to anything should the attacker choose to change it.
Once all files have been encrypted, Cryptonite tries to identify where the victim is in the world from their IP address using “ipinfo.io” and attempts to phone home. It connects to the aforementioned “ngrok.io” to pass the victim’s details back to the attacker.
Finally, a ransom window is created on the victim’s device that contains the attacker’s details, as shown in Figure 3.
The victim can enter their decryption key should they contact the attacker and pay the ransom (and if the attacker chooses to provide the key.) Contrary to the warning, there does not appear to be any restrictions on the number of times an incorrect key can be entered. The victim will, however, receive the following error message.
Fortinet customers are already protected from this malware variant through FortiGuard’s Web Filtering, AntiVirus, and FortiEDR services, as follows:
FortiGuard Labs detects known Cryptonite ransomware variants with the following AV signatures:
Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).