Back

Kryptina RaaS - From Unsellable Cast-Off to Enterprise Ransomware

Sept. 24, 2024, 3:08 p.m.

Tags

mallox
2024-09-24
CVE-2024-21338
kryptina

External References

https://www.sentinelone.com/

https://otx.alienvault.com/

Description

This analysis examines the evolution of Kryptina, a ransomware-as-a-service platform, from a free tool on public forums to being actively used in enterprise attacks under the Mallox ransomware family. In May 2024, a Mallox affiliate leaked staging server data, revealing their Linux ransomware was based on a modified version of Kryptina. The affiliate made superficial changes to source code and documentation, removing Kryptina branding but retaining core functionality. This adoption exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants. The report details the similarities and differences between the original Kryptina RaaS and the modified Mallox version, including encryption methods, ransom note templates, and configuration files.

Date

Published Created Modified
Sept. 24, 2024, 2:42 p.m. Sept. 24, 2024, 2:42 p.m. Sept. 24, 2024, 3:08 p.m.

Indicators

ff5e8c23e622bdaf6fd608691e6c3da298b0bfe867b0d8d84d37d991b75a237c

f4b64976d7dcb04466f0a89d81cd2eb158158c752c042ec248549415799965bf

ec1b3e6440b0fe1523295479fb18660aaac2f9f13a72145feebe07d60c2d9197

e9b9f425fa818899070f69d09d3a35d7ccc88de6ac98b2c8b02116f1b314bc78

e6d4e65c45700dcedd2b5ed73734328500b5f5a016d79440d3611092475b9e6e

cd0f87f7df534b0e29b2ffa5d02cdef0d7db29a67a316e143554eb1945d75e6c

e52a8d0337bae656b01cb76c03975ac3d75ac4984c028ba2a6531396dea6dddd

c714df0154f2b6fc8a82aa35281836c664bd3fbf4be3efc7e8b5b94ac87fc0a6

b7776fc59166d0fdafa0ff7ab867049512226b0d7302a3acd9532ab05e58d44b

c23c25621872ef6a5f6a04dc1caf283a5efb3e046f6f721e96f661d28e3e6280

9f4c40c0d52291334d90455a64106f920ede3bda5c3f7d00b0933032b0f208d8

9195ad1b5c2d4b20b12958224c6913b6a7929c3c4d2648a552aa7dc92da9143b

694eeec46cfe1b7acd54cf95b307416be984a5238b3059cc3af446e74e28d889

3b1b1beacd0925dcb27675c45f50574921181c097ab8004d18bc116e5a99bde0

23ba8078df63ebb313f2f2a2f24dab840e068ddd5cc54bb661db7d010954d2fc

2fdaee89b426fa3ee00f3e8d10ebf23f1de1562746e5ba2ee606443572190610

175e20a7c8d54bfa6271de9d550c25c21e1c91aaf39aaa80779389fc8600d53f

45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d

185.73.125.6

Attack Patterns

Kryptina

Mallox

Mallox

T1588.001

T1505.003

T1588.002

T1059.001

T1059.004

T1204.002

T1486

T1027

T1190

T1078

CVE-2024-21338