Because of its “weak architecture and programming,” an open-source ransomware toolkit called Cryptonite has been observed in the wild with wiper capabilities.
Cryptonite, unlike other ransomware strains, is not for sale on the cybercriminal underground and was previously distributed for free by an actor known as CYBERDEVILZ via a GitHub repository. The source code and forks have since been removed.
The malware, written in Python, uses the Fernet module of the cryptography package to encrypt files with the “.cryptn8” extension.
However, a new sample examined by Fortinet FortiGuard Labs was discovered to lock files with no way to decrypt them, essentially acting as a destructive data wiper.
However, this is not a deliberate action on the part of the threat actor, but rather the result of a lack of quality assurance, which causes the program to crash when attempting to display the ransom note after the encryption process has been completed.
“The problem with this flaw is that due to the ransomware’s design simplicity, there is no way to recover the encrypted files if the program crashes — or is even closed,” Fortinet researcher Gergely Revay wrote in a Monday write-up.
The exception thrown during the ransomware program’s execution also means that the “key” used to encrypt the files is never sent to the operators, effectively locking users out of their data.
The findings come amid an evolving ransomware landscape in which wipers disguised as file-encrypting malware are increasingly being used to overwrite data without allowing decryption.