Kryptina RaaS is a Linux-focused ransomware framework that evolved from a paid underground offering to an openly available open-source tool after its source code was released on BreachForums, potentially expanding accessibility for attackers. The open-source release could drive more Linux-targeted attacks and variant proliferation as cloud and container environments grow in importance. #Kryptina #BreachForums
Keypoints
- Kryptina RaaS surfaced in December 2023 as a lightweight, fast, and highly customizable Linux ransomware solution.
- Initial pricing offered a standalone encryptor/decryptor for $20 or a complete package for $500, later rising to $800 with added features such as multi-arch support and cryptocurrency payments.
- In February 2024, the creator ‘Corlys’ published the full source code on BreachForums, removing financial barriers to entry.
- The encryption uses AES-256-CBC via OpenSSL libcrypto, with keys and configuration data obfuscated via XOR and base64 encoding.
- A secure-delete option can overwrite files before encryption, using a single-pass method to hinder recovery.
- The Kryptina builder and web interface are Python-based (Flask), enabling campaign management, builder/decryptor creation, and victim communication; the tool supports extensive CLI parameters.
- SentinelOne reports protection against Kryptina and notes the risk of rapid variant growth if the open-source code spawns forks and spin-offs.
MITRE Techniques
- [T1059.006] Command and Scripting Interpreter: Python – The Kryptina architecture is built on a foundation of Python scripts for the payload builder and web server components. “The builder can also be scripted with Python.”
- [T1486] Data Encrypted for Impact – The encryption process uses AES256 in CBC mode via OpenSSL, targeting configured directories/files. “The encryption process uses multiple parallel threads and depends on OpenSSL’s libcrypto. It uses the AES256 algorithm in CVC mode.”
- [T1070.004] Indicator Removal: File Deletion – Secure deletion can overwrite files before encryption and remove them, hindering recovery. “The secure_delete_file() function… overwriting its original size… then the file is permanently removed using the unlink function.”
- [T1140] Deobfuscate/Decode Files or Information – Obfuscation of keys/config data via XOR and Base64 encoding. “The keys and configuration data are obfuscated via XOR using a custom value defined at build time, and then base64 encoded.”
- [T1485] Data Destruction – The open-source tool includes a secure-delete option which can slow encryption but makes recovery harder. “Enable secure delete when encrypting files (very slow, but makes recovery much harder)”
Indicators of Compromise
- [Hash] Source files – 03bbfdbad1d1fd93d6c76de9a61e9cfc49e7e319, 095538ff7643b0c142335c978bfe83d32a68cdac, and 2 more hashes
- [Hash] Payload Samples – 355d70ffe98e6f22b6c3ad8d045e025a5ff78260, 63580c4b49d350cf1701fb906c94318a683ae668, and 2 more hashes
Read more: https://www.sentinelone.com/blog/kryptina-raas-from-underground-commodity-to-open-source-threat/