Recently, victims of a recently uncovered form of ransomware are being warned not to pay the ransom demand simply because the ransomware is not able to decrypt files it just destroys them instead. Coded in Python, Cryptonite ransomware first appeared in October 2022 as part of a free-to-download open-source toolkit available to anyone with the skills required to deploy it in attacks against Microsoft Windows systems, with phishing attacks believed to be the most common means of delivery.
An analysis of Cryptonite by cybersecurity researchers has found that the ransomware only has "barebones" functionality and does not offer a means of decrypting files, even if a ransom payment is made. Instead, Cryptonite effectively acts as wiper malware, destroying the encrypted files and leaving no way of retrieving the data. But rather than this being an intentionally malicious act of destruction by design, researchers suggest that Cryptonite does this because the ransomware has been poorly put together.
A basic design and what's described as a "lack of quality assurance (QA)" means the ransomware does not work correctly because a flaw in the way it has been written means if Cryptonite crashes or is just closed, it leaves no way to recover encrypted files. There is also no way to run it in decryption-only mode, so every time the ransomware is run, it re-encrypts everything with a different key. This means that, even if there were a way to recover the files, the unique key probably would work, leaving no way to recover the encrypted data. This demonstrates how ransomware's weak architecture and programming can quickly turn it into a wiper that does not allow data recovery.
Although researchers complain about the increasing sophistication of ransomware, they can also see that the over-simplicity and a lack of quality assurance can also lead to significant problems. It is still the victim of the ransomware attack that feels those problems, as they are left with no means of restoring their network even if they have made the ill-advised ransom payment.
The case of Cryptonite ransomware also serves as a reminder that paying a ransom is never a guarantee that the cybercriminals will provide a decryption key or that it will work properly. Cyber agencies, including CISA, the FBI, and the NCSC, recommend against paying the ransom because it only encourages cyber criminals, particularly if they can acquire ransomware at a low cost or for free.
See: https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-12-09-2022
The positive news is that it is now harder for cybercriminals to get Cryptonite, as the source code has been removed from GitHub. In addition, the simple nature of the ransomware also means that it is easy for antivirus software to detect.
It is up to all organizations to take steps and adopt procedures to protect themselves from ransomware attacks. No government can stop these attacks except for the counties that are sponsoring or benefitting from the ransom payments.
The following is what Red Sky Alliance recommends:
• All data in transmission and at rest should be encrypted.
• Proper data backup and off-site storage policies should be adopted and followed.
• Implement a 2-Factor authentication-company wide.
• For USA readers, join and become active in your local Infragard chapter; membership is free. www.infragard.org
• Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
• Institute cyber threat and phishing training for all employees, with testing and updating.
• Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.
• Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
• Ensure that all software updates and patches are installed immediately.
• Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories, including Keyloggers, with having to connect to your network.
• Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
• Reporting: https://www. redskyalliance. org/
• Website: https://www. wapacklabs. com/
• LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments