Ransomware victims are regularly told not to pay the ransom demanded by cyber attackers. This is all the more true in the case of this new ransomware, Cryptonite. Why ? Simply because the malware is not able to decrypt the files.
Coded in the Python language, this ransomware first appeared in October, as part of an open source malicious toolkit. This allows anyone with the required skills to deploy it on Microsoft Windows systems, with phishing attacks being considered the most common mode of delivery.
But analysis of Cryptonite by cybersecurity researchers at Fortinet reveals that the ransomware offers no way to decrypt the files, even if a ransom is paid.
Cryptonite acts as a wiper
On the contrary, Cryptonite acts as a wiper, those destructive malwares that seek to erase data by destroying encrypted files without allowing data recovery. Rather than an intentional destruction strategy, the researchers nevertheless suggest that this behavior is due to a software design problem.
A flaw in the programming prevents recovery of encrypted files if the ransomware crashes or is simply closed. Likewise, it is not possible to run it to only decrypt files, the ransomware then re-encrypts the files at the same time with a different key.
“This example demonstrates how weaknesses in ransomware’s programming can quickly turn it into a wiper,” notes Gergely Révay, security researcher at Fortinet’s FortiGuard Labs. “While we often complain about the increasing sophistication of ransomware, we can also see that its overly simple nature and a lack of quality assurance can also lead to significant problems. »
File decryption is never guaranteed
The case of Cryptonite ransomware finally reminds us that paying a ransom never guarantees that cybercriminals will provide the decryption key or that it will work properly.
The various agencies, including the French Anssi and its American or English counterparts (the CISA, the FBI and the NCSC) recommend not to pay a ransom. According to them, this only emboldens and encourages cybercriminals, especially if they can acquire the ransomware cheaply or for free.
On the other hand, the good news is that it is now more difficult for budding cybercriminals to get their hands on Cryptonite, as the original source code has been removed from the GitHub repository. Furthermore, the basic nature of this ransomware also means that it is easy to detect by antiviruses. It is therefore recommended to install such software and keep it up to date.
Source: ZDNet.com