Victims of a recently discovered form of ransomware are being warned not to pay a ransom, simply because the ransomware can’t decrypt files – it just destroys them instead.
Encrypted in Python, Cryptonite Ransomware first appeared in October as part of a free download open source toolkit – available to anyone with the skills necessary to deploy it in attacks against Microsoft Windows systems, with phishing attack arguably the most popular means of delivery.
But analysis of Cryptonite by Cybersecurity researchers at Fortinet discovered that the ransomware has only “basic” functionality and provides no means of decrypting files at all, even if a ransom payment is made.
Instead, Cryptonite effectively works like remove malwaredestroy encrypted files, no way to retrieve data.
But rather than this being a deliberate act of vandalism by design, the researchers suggest that the reason Cryptonite does this is because the ransomware has been poorly incorporated.
A basic design and what’s been described as “lack of quality assurance” means the ransomware doesn’t work correctly due to a flaw in the way it’s put together meaning that if Cryptonite encounters crash or just closed, it will have no way to recover the encrypted files.
There’s also no way to run it in decrypt-only mode – so every time the ransomware is run, it re-encrypts everything with a different key. This means that even if there is a way to recover the file, the unique key probably won’t work – there is no way to recover the encrypted data.
“This sample shows how the weak structure and programming of ransomware can quickly turn it into a data erasure tool that doesn’t allow recovery,” said Gergely Révay, security researcher at Fortinet’s FortiGuard Labs. data.
He added: “While we often complain about the increasing complexity of ransomware samples, we can also see that over-simplification and lack of quality assurance can also lead to problems. serious matter”.
It is the victims of ransomware attacks who feel those problems, as they have no way to recover their networks – even if they have paid the ransom.
The case of the Cryptonite ransomware serves as a reminder that paying a ransom never guarantees that cybercriminals will provide the decryption key or whether it will function properly.
Network agencies, including CISA, FBI and NCSC, offer not to pay the ransom because it only serves to incentivize and incentivize cybercriminals, especially if they can afford the ransomware at a low cost or for free.
The good news is that it’s harder for cybercriminals to get their hands on Cryptonite now because the original source code has been removed from GitHub.
Also, the simple nature of ransomware also means it’s easy antivirus software to detect – so you should install and update anti-virus software.