Threat Research

Kryptina RaaS: Transforming Unsellable Cast-Offs into Enterprise Ransomware Solutions

Securonix

Kryptina, once a free Linux RaaS tool, has been adopted by Mallox affiliates for enterprise attacks, with Mallox Linux 1.0 based on Kryptina source. A May 2024 leak showed modifications to Kryptina’s code and documentation, illustrating ransomware commoditization and complicating malware tracking. #Kryptina #Mallox

Keypoints

  • Kryptina evolved from a free tool to being used in enterprise attacks under the Mallox ransomware family.
  • A Mallox affiliate leaked data revealing that their Linux ransomware was based on a modified version of Kryptina.
  • The original Kryptina RaaS struggled to attract interest until its adoption by Mallox affiliates.
  • Differences were noted between the original Kryptina RaaS and the Mallox-modified version.
  • The Kryptina tool was initially offered for sale in December 2023 but was later released as open-source.
  • Documentation and source files for Mallox Linux 1.0 retained many references to Kryptina.
  • The leaked affiliate server contained tools for both Linux and Windows platforms, indicating a broader attack strategy.

MITRE Techniques

  • [T1078] Valid Accounts – Use of stolen credentials to gain access to systems. “Use of stolen credentials to gain access to systems.”
  • [T1203] Exploitation for Client Execution – Exploitation of vulnerabilities to execute malicious code. “Exploitation of vulnerabilities to execute malicious code.”
  • [T1547] Boot or Logon Autostart Execution – Persistence mechanisms to maintain access to compromised systems. “Persistence mechanisms to maintain access to compromised systems.”
  • [T1068] Exploitation for Privilege Escalation – Exploitation of vulnerabilities to gain elevated privileges. “Exploitation of vulnerabilities to gain elevated privileges.”
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscation techniques to evade detection. “Obfuscation techniques to evade detection.”
  • [T1003] Credential Dumping – Collection of credentials to facilitate further attacks. “Collection of credentials to facilitate further attacks.”
  • [T1041] Exfiltration – Exfiltration of data from compromised systems. “Exfiltration of data from compromised systems.”
  • [T1486] Data Encrypted for Impact – Data encryption for ransom demands. “Data encryption for ransom demands.”

Indicators of Compromise

  • [SHA1 Hash] Files associated with Kryptina/Mallox payloads – 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119, 43377911601247920dc15e9b22eda4c57cb9e743 and other hashes
  • [IP Address] Mallox staging server – 185.73.125.6
  • [Domain] DNS/domain used by Mallox affiliate infrastructure – grovik71.theweb.place
  • [Tox ID] Threat liaison identifier – 290E6890D02FBDCD92659056F9A95D80854534A4D76EE5D3A64AFD55E584EA398722EC2D3697
  • [BTC Address] Bitcoin payment address – 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3

Read more: https://www.sentinelone.com/labs/kryptina-raas-from-unsellable-cast-off-to-enterprise-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint