Threat Research

The Story of a Ransomware Turning into an Accidental Wiper | FortiGuard Labs

Securonix

Fortinet FortiGuard Labs analyzes a Cryptonite ransomware sample that was open-sourced on GitHub and later observed to behave like a wiper in the wild. The investigation covers static and dynamic analyses, reveals a flawed design that prevents data recovery, and lists IOCs and protective guidance. #Cryptonite #CYBERDEVILZ #Windows #Fortinet #FortiGuard #Ngrok

Keypoints

  • Cryptonite originated as an open-source ransomware toolkit and a wild sample acted as a wiper rather than offering decryption.
  • The GitHub repository was removed, including forks, with CYBERDEVILZ identified as the main contributor group.
  • Core ransomware features are basic and miss typical defenses like Windows Shadow Copy removal and anti-analysis.
  • Static and dynamic analyses show the sample’s functions, including filesystem enumeration and key handling, but ultimately expose design flaws that block recovery.
  • Key findings include the sample’s IOCs: a SHA1 hash, a reverse-proxy URL, a bitcoin wallet, and an email address found in the sample.
  • Fortinet provides protections and guidance (AV signatures, phishing training, backups, EDR, Zero Trust) to mitigate such threats.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Encrypts files on the compromised machine without offering decryption. Quote: “Encrypts files on the compromised machine without offering decryption”
  • [T1083] File and Directory Discovery – The malware enumerates the filesystem to identify targets for encryption. Quote: “the program enumerates the filesystem”
  • [T1027] Obfuscated/Compressed Files and Information – The sample is a python program bundled with pyinstaller into an executable. Quote: “a python program bundled with pyinstaller into an executable”
  • [T1041] Exfiltration Over C2 Channel – The encryption key is sent to the operator as part of the ransom workflow. Quote: “Later, this key is sent to the operator”

Indicators of Compromise

  • [Hash] Sample SHA1 hash – a891e774eeb9671ff2dd1334e1628ba18fb60575
  • [URL] Reverse proxy – hxxps://e4c0660414bf[.]eu[.]ngrok[.]io
  • [Bitcoin Wallet] Attacker’s bitcoin wallet – bc1qrs642t7jv7chpy4qt9u0j7knqqt7e06hp68ddj
  • [Email] Email address in sample – vlastyjanov_at_gmail[.]com

Read more: https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint