Kryptina, once an overlooked free to use Ransomeware as a service available in dark web has resurfaced in recent enterprise attacks. [4]Its return has been marked by an advanced and potent version as per research presented by SentilLabs in LABScon 2024 reported by infosec-magazine.
Mallox Linux 1.0
Mallox Ransomware Group also known as , a famous player in enterprise cyber-attacks has revamped the tool for its purpose. [4]When Kryptina was launched back in 2023 it didnt gain much popularity among cyber criminals, however in May 2024 a Mallox server data leak has shed light on the use of Kryptina to power Linux based Ransomware attacks, naming it Malloc 1.0. As reported by Trustwave Mallox has sucessfully performed cyberattacks on multiple enterprises. [2]One of such attacks include targetting unsecure Micrsoft SQL servers.
What is RaaS?
RaaS or Ransomeware as a Service is a specialized tool for folks who wish to indulge in cybercrime but do not wish to put the effort into building a ransomware. It’s literally Software as a Service for Cybercriminals. Aren’t we in an amazing world where no business opportunity is unturned, where there is a “service” and a “service-fee” for anything a human mind may wish.
How RaaS operates?
RaaS clients are offered similar services equivalent to SaaS services, including 24×7 support, bundled offers, user forums and many more.[3] The revenue model also ranges from monthly subscription to profit sharing, and data from Crowdstrike mentions that an average ransomware demand in 2023 was 6.1$ considering which its evident how lucrative the market is. The attacker also doesn’t need all attacks to be successful, one of them could make them rich.
Now it’s not surprising at all that RaaS operators run marketing campaigns and has websites just like any other websites and they are active on X, formerly Twitter.[3] The market is competitive and there are numerous players to name a few Locky, Goliath, Shark, Stampado, Encryptor and Jokeroo etc.
SentilLabs Findings
SentilLabs reported these notable findings in their presentation[4]:
- The Mallox variant of Kryptina uses AES 256 encryption with minor code changes
- Kryptinas source code has been updated and translated to Russian with minor changes to branding whereas keeping the encryption routines intact.
- The data leaks also confirm various configurations of Mallox campaigns targeting at least 14 victims.
Kryptina Source code on the exposed server, source: SentilLabs[1]
It’s alarming how these mediocre tools are revamped into modern sophisticated applications by advanced threat actors. These new findings shed light on the increasingly complex networks of threat actors who are continuously getting more powerful in their attacks and thus enterprises must brace for such lethal encounters.
References:
1.Author: Bill Toulas Image source:https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-variant-based-on-leaked-kryptina-code
2.Author: Bernard Bautista Report published on August 27, 20246 :https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exposed-and-encrypted-inside-a-mallox-ransomware-attack
3. Author: Kurt Baker – published on January 30, 2023 ,Details on Ransomware as a Service:https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas
4. Author: Alessandro Mascellino Report published on Kryptina:https://www.infosecurity-magazine.com/news/kryptina-ransomware-resurfaces
Amazing reading Kaushik. The new era of organized cybercrime platforms is booming. The NSO Group is another cybercrime service provider that promotes its legitimate cyber intelligence business model to federal organizations and intelligence agencies. NSO released “Pegasus” one of the top-notch spyware software that conducts zero-click espionage attacks using sophisticated multi-layered spying methods. According to the major media news, a single attack license could cost up to USD 40 million. It was a norm for this kind of business to be usually hidden in the dark net, but it has become a common business model and some governments use it as part of their intelligence practices.
https://www.cnet.com/tech/mobile/pegasus-spyware-and-citizen-surveillance-what-you-need-to-know/
Yes, Tamer, you have rightly pointed out that government sponsored applications are monetized for espionage by multiple governments across the globe. Pegasus, is definitely way more mainstream when compared to other dark web entities out there. The SS7 vulnerability revelation blew my mind and shows how easily our phones can be tracked with precise geotagging and zero click hack of our phone lines. Phones are part of our life and contains the every information we want to keep secure, when the phone is under attack it places us in th most vulnerable position a human can be in this modern day.
Reference:https://www.theguardian.com/world/2020/mar/29/revealed-saudis-suspected-of-phone-spying-campaign-in-us
Details on SS7 attacks: https://www.firstpoint-mg.com/blog/ss7-attack-guide/
Great post Kaushik, you have really highlighted the key issue. Ransomware-as-a-Service (RaaS) has emerged as a dominant business model among cybercriminal groups. The fact that attackers can simply subscribe to these tools, and launch attacks without needing to build their own malware, shows how much the cybercrime world has evolved. With so many options for attackers and tools getting more advanced, offering subscription-based models, 24/7 support and even marketing services. Raas has become a booming underground economy, and this trend is likely to continue. Organizations must proactively implement robust cybersecurity measures to protect themselves against these emerging threats.
In response, countries like the U.S. and U.K. have implemented stricter sanctions and coordinated international operations against ransomware groups. For example, the US recently imposed sanctions on two individuals affiliated with the Lockbit ransomware group [2] and both the U.S and U.K. have jointly sanctioned eleven individuals involved with the Trickbot cybercrime group [3].
References
1. Bleeping computer News. 2024. Ransomware as a Service and the Strange Economics of the Dark Web.
https://www.bleepingcomputer.com/news/security/ransomware-as-a-service-and-the-strange-economics-of-the-dark-web/
2. U.S Department of the Treasury 2024. Press Releases: United States Sanctions Affiliates of Russia – Based LockBit Ransomware Group.
https://home.treasury.gov/news/press-releases/jy2114
3. U.S Department of the Treasury 2023. Press Releases: United States and United Kingdom Sanction Additional Members of the Russia-Based Trickbot Cybercrime Gang
https://home.treasury.gov/news/press-releases/jy1714
Thank you Cynthia, for pointing out the important steps being taken by Governments across the world are taking to combat such adversaries. Its imperative that governments need to step in and in order to safeguard financial interest and public interests its important that stricter measures are taken and all necessary actions employed to make it harder for cyber criminals perform such activities anonymously.
This blog post does a good job explaining how Kryptina has returned as a Ransomware as a Service (RaaS). It’s worrying to see how the Mallox Ransomware Group has updated this tool, proving that even software that was once ignored can become a big danger. The growth of RaaS shows that it’s now easier for anyone, even people with little skill, to commit cybercrimes. The information about how RaaS works was surprising. The fact that these services provide help 24×7 and have online discussion groups like real software companies, shows just how organized and professional cybercrime has become. It’s important for us as future cybersecurity experts to learn about these business models so we can better anticipate and fight against their tactics.
Fantastic work, Kaushik! You have given us a thorough understanding of a worrying development in the world of cybercrime with your examination of the Kryptina ransomware’s rebirth under the Mallox banner. This article, which offers insightful information to both cybersecurity experts and company executives, effectively conveys the dynamic nature of ransomware threats and their significant influence on enterprise security.
Hi Kaushik, Your discussion post was very detailed and explained many of the essential ideas presented by the issue that occurred. One significant aspect you discussed was Kryptina being overlooked and its repurposing by Mallox into a system that would target enterprise systems that were primarily unsecured Microsoft SQL servers. Additionally, the ability to revamp such a tool and have only a few minor changes to the source code invites us to a discourse on the adaptability of these threat actors, highlighting the effectiveness of tools that are not powerful but can be weaponized to target enterprises. Another very important idea in your post was the role of RaaS as a business model, indicating cybercrime’s commercialization. Since RaaS functions similarly to regular software services, it is relatively easy for individuals to launch complex attacks. Lastly, SentilLabs’ findings on using AES-256 encryption in the Mallox variant of Kryptina show how threat actors can leverage leaked source code to update and localize their tools, demonstrating significant collaboration and innovation within these criminal networks.
Great post Kaushik! It’s amazing how rapidly these ransomware programs change! Kryptina, which hardly had an impact in 2023, has resurfaced as a formidable danger owing to Mallox. It demonstrates how even seemingly little tools may become harmful in the hands of the right (or wrong) people. The transition from free-to-use RaaS to sophisticated business threats is rather alarming. It’s insane to assume that there is competition in this field, with marketing campaigns and ‘customer support’! It just demonstrates that for every cybersecurity defense, there are several criminal organizations eager to invent their way past it. The naming of groups such as Locky, Shark, and Jokeroo emphasizes how large the playing field has become.
Great post Kaushik! It’s amazing how rapidly these ransomware programs change! Kryptina, which hardly had an impact in 2023, has resurfaced as a formidable danger owing to Mallox. It demonstrates how even seemingly little tools may become harmful in the hands of the right (or wrong) people. The transition from free-to-use RaaS to sophisticated business threats is rather alarming. It’s insane to assume that there is competition in this field, with marketing campaigns and ‘customer support’! It just demonstrates that for every cybersecurity defense, there are several criminal organizations eager to invent their way past it. The naming of groups such as Locky, Shark, and Jokeroo emphasizes how large the playing field has become.
Great work, this only shows how fast the ransomware has really changed, Kryptina ransomware’s rebirth under the Mallox banner. This opens our minds to the fact that ransomware can be a big treat and the fact that Kryptina, can be a great danger to the cybersecurity world and we have to start putting in place every mearure to reduce the effect to our systems with the constant training of our staffs.