Kryptina RaaS - From Unsellable Cast-Off to Enterprise Ransomware
Sept. 24, 2024, 3:08 p.m.
Tags
External References
Description
This analysis examines the evolution of Kryptina, a ransomware-as-a-service platform, from a free tool on public forums to being actively used in enterprise attacks under the Mallox ransomware family. In May 2024, a Mallox affiliate leaked staging server data, revealing their Linux ransomware was based on a modified version of Kryptina. The affiliate made superficial changes to source code and documentation, removing Kryptina branding but retaining core functionality. This adoption exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants. The report details the similarities and differences between the original Kryptina RaaS and the modified Mallox version, including encryption methods, ransom note templates, and configuration files.
Date
Published: Sept. 24, 2024, 2:42 p.m.
Created: Sept. 24, 2024, 2:42 p.m.
Modified: Sept. 24, 2024, 3:08 p.m.
Indicators
ff5e8c23e622bdaf6fd608691e6c3da298b0bfe867b0d8d84d37d991b75a237c
f4b64976d7dcb04466f0a89d81cd2eb158158c752c042ec248549415799965bf
ec1b3e6440b0fe1523295479fb18660aaac2f9f13a72145feebe07d60c2d9197
e9b9f425fa818899070f69d09d3a35d7ccc88de6ac98b2c8b02116f1b314bc78
e6d4e65c45700dcedd2b5ed73734328500b5f5a016d79440d3611092475b9e6e
cd0f87f7df534b0e29b2ffa5d02cdef0d7db29a67a316e143554eb1945d75e6c
e52a8d0337bae656b01cb76c03975ac3d75ac4984c028ba2a6531396dea6dddd
c714df0154f2b6fc8a82aa35281836c664bd3fbf4be3efc7e8b5b94ac87fc0a6
b7776fc59166d0fdafa0ff7ab867049512226b0d7302a3acd9532ab05e58d44b
c23c25621872ef6a5f6a04dc1caf283a5efb3e046f6f721e96f661d28e3e6280
9f4c40c0d52291334d90455a64106f920ede3bda5c3f7d00b0933032b0f208d8
9195ad1b5c2d4b20b12958224c6913b6a7929c3c4d2648a552aa7dc92da9143b
694eeec46cfe1b7acd54cf95b307416be984a5238b3059cc3af446e74e28d889
3b1b1beacd0925dcb27675c45f50574921181c097ab8004d18bc116e5a99bde0
23ba8078df63ebb313f2f2a2f24dab840e068ddd5cc54bb661db7d010954d2fc
2fdaee89b426fa3ee00f3e8d10ebf23f1de1562746e5ba2ee606443572190610
175e20a7c8d54bfa6271de9d550c25c21e1c91aaf39aaa80779389fc8600d53f
45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d
185.73.125.6
grovik71.theweb.place
docs.md
Attack Patterns
Kryptina
Mallox
Mallox
T1588.001
T1505.003
T1588.002
T1059.001
T1059.004
T1204.002
T1486
T1027
T1190
T1078
CVE-2024-21338