Kryptina RaaS - From Unsellable Cast-Off to Enterprise Ransomware

Description

This analysis examines the evolution of Kryptina, a ransomware-as-a-service platform, from a free tool on public forums to being actively used in enterprise attacks under the Mallox ransomware family. In May 2024, a Mallox affiliate leaked staging server data, revealing their Linux ransomware was based on a modified version of Kryptina. The affiliate made superficial changes to source code and documentation, removing Kryptina branding but retaining core functionality. This adoption exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants. The report details the similarities and differences between the original Kryptina RaaS and the modified Mallox version, including encryption methods, ransom note templates, and configuration files.