Kryptina RaaS: From Open-Source Tool to Enterprise-Level Ransomware
On September 23 2024, SentinelOne releases a report on Kryptina Ransomware as a Service covering the May 2024 leak from a Mallox ransomware affiliate’s server.
Introduction
On September 23 2024, SentinelOne releases a report on Kryptina Ransomware as a Service covering the May 2024 leak from a Mallox ransomware affiliate’s server and revealing how Kryptina, originally a free and open-source Ransomware-as-a-Service (RaaS) platform, evolved into a major threat in enterprise ransomware campaigns. Kryptina, once a tool that struggled to attract dark market buyers, has now been adapted by Mallox affiliates to power customized Linux ransomware attacks. This shift highlights the growing commoditization of ransomware tools and the complexities of tracking malware families.
Report Overview
In February 2024, SentinelOne published an analysis on Kryptina RaaS, a Linux-based ransomware platform that provided tools for creating and managing ransomware campaigns. Despite its full functionality, including automated payloads and multi-group management, the platform saw little interest on dark forums. By May 2024, however, Kryptina resurfaced in a Mallox affiliate’s staging server leak, where it had been modified and rebranded as “Mallox Linux v1.0.”
The Mallox affiliate had retained Kryptina’s core functionality while stripping its branding, and the modified version was actively used in attacks targeting small to medium-sized businesses (SMBs) and enterprise networks.
Kryptina’s original capabilities were largely untouched in the Mallox affiliate’s version. The ransomware utilized AES-256-CBC encryption, obfuscating keys with XOR and base64 encoding. This was implemented through krptna_process_file(), which leveraged OpenSSL’s encryption libraries to secure files. The affiliate modified superficial elements such as comments and debug messages, rebranding them with Mallox’s name while keeping Kryptina’s encryption routines and builder intact.
Kryptina's original scripting_demo.py allowed for quick, automated Linux payload builds, a feature retained in Mallox Linux 1.0. The affiliate's modifications to the makefile and builder scripts also enabled customized ransomware builds, complete with options for payload self-deletion, maximum file sizes, and secure deletion features.
Mallox, also known by aliases such as FARGO and XOLLAM, has been active since 2021, targeting enterprises through MSSQL exploitation and brute-force attacks. Affiliates of Mallox often adapt their campaigns based on vulnerabilities that emerge in targeted systems, varying in their attack methods but unified in leveraging ransomware-as-a-service platforms like Kryptina.
The discovery of Kryptina in the Mallox affiliate’s staging server, hosted on 185[.]73.125[.]6, marks an evolution in how these RaaS platforms are adopted and adapted by individual threat actors. While the Mallox Linux 1.0 variant used Kryptina as a base, other affiliates have created different Linux variants that don’t rely on Kryptina, complicating efforts to trace the malware’s lineage.
The affiliate leak contained not only ransomware builder tools but also payloads staged for deployment. Among the files, there were custom ransom note templates, encryption tools, and victim-specific configuration files. Seven out of 14 targeted folders contained built payloads and configuration files, all referencing the same Bitcoin wallet (BTC: 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3) and shared encryption keys.
Additionally, tools for exploiting CVE-2024-21338, a Windows privilege escalation flaw, were found alongside Windows-specific droppers. These droppers included PowerShell scripts and .LNK-based payloads designed for privilege escalation and malware execution.
Insights and Analysis
Kryptina’s transformation from an open-source project into an enterprise-level threat highlights the dangers of commoditized ransomware tools. As affiliates continue to mix and match codebases, ransomware tracking becomes increasingly difficult, raising the stakes for cybersecurity defenders.
To protect against similar threats, enterprises should:
- Regularly update software to close vulnerabilities that ransomware campaigns frequently exploit.
- Implement multi-factor authentication (MFA) and strong password policies to reduce the risk of brute-force attacks.
- Backup critical data and test recovery processes to mitigate damage from ransomware incidents.
- Monitor network traffic for known Indicators of Compromise (IOCs) associated with Mallox campaigns.
Kryptina’s resurgence in the hands of Mallox affiliates is a reminder of how rapidly cyber threats can evolve, making continuous vigilance essential for security teams.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| 0b9d2895d29f7d553e5613266c2319e10afdda78 | File Hash | Hash of a payload file related to Mallox Linux Ransomware |
| 0de92527430dc0794694787678294509964422e6 | File Hash | Hash of a payload file related to Mallox Linux Ransomware |
| 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119 | File Hash | Hash of a payload file related to Mallox Linux Ransomware |
| 185[.]73.125[.]6 | IP Address | Mallox affiliate’s staging server hosting ransomware payloads |
| grovik71[.]theweb[.]place | Domain | Domain used in Mallox ransomware campaign |
| 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3 | Bitcoin Address | Bitcoin address used for ransom payments |
MITRE ATT&CK Table
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | Exploiting vulnerable services like MSSQL for initial access |
| Execution | Command and Scripting Interpreter | T1059 | Using PowerShell scripts to execute commands for ransomware deployment |
| Defense Evasion | Disable or Modify Tools | T1562.001 | Resetting Kaspersky password protection to bypass endpoint defenses |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Leveraging CVE-2024-21338 for privilege escalation on Windows systems |
| Impact | Data Encrypted for Impact | T1486 | Encrypting victim's files using AES-256-CBC encryption as part of ransomware attack |
References
Jim Walter
Comments ()