Ransomware Roundup – Cryptonite | FortiGuard Labs

MITRE Techniques

• [T1059.006] Python – The malware is coded in Python and packaged with PyInstaller to run on systems without relying on a pre-installed Python interpreter. ‘Coding in Python makes development very fast and easy. However, because it is an interpreted language, the Python interpreter must be installed on any machine attempting to run a script. Since this cannot be guaranteed, Cryptonite is packaged using PyInstaller, which contains all the necessary files to deploy Python code on a given system.’
• [T1090] Proxy – It uses NGROK as a reverse proxy to disguise the attack infrastructure and pass victim data back to the attacker. ‘There is a field labeled “NGROK URL:”. This refers to the requirement for an attacker to set up and use NGrok, which is effectively a legitimate reverse proxy service that many companies use to test their development systems. It makes it appear that the local infrastructure is attached to a sub-domain of “ngrok.com” and not the attacker’s actual location and IP address.’
• [T1016.001] IP Address Discovery – It determines the victim’s location by identifying their IP address via ipinfo.io. ‘This NGrok requirement is for the Cryptonite server component, which is simply a basic Python web server attached to an SQL Lite database. It listens for victim machines that are reporting in and captures things like a unique ID for victims along with their IP address and general location.’
• [T1486] Data Encrypted for Impact – It encrypts files using Fernet (AES-128) and renames them (default .cryptn8). ‘The method Cryptonite uses to encrypt files is via the Python Cryptography module. It uses an implementation of Fernet (https://cryptography.io/en/latest/fernet/) to provide 128-bit AES against the whole of a targeted file.’
• [T1564] Masquerading – It presents a fake software update window during encryption to mislead the user. ‘The victim will, however, receive the following error message.’ and ‘It begins encrypting… presents a screen indicating that it is attempting to download a software update, followed by a status bar showing the percentage of the installation. This, however, is just a decoy and does not represent what the software is doing.’
• [T1041] Exfiltration Over C2 Channel – It exfiltrates victim details to the attacker via the ngrok channel. ‘Finally, a ransom window is created on the victim’s device… it connects to the aforementioned “ngrok.io” to pass the victim’s details back to the attacker.’