This poorly designed ransomware cannot decrypt your files, even if you pay the ransom

Frustrated man at the computer

Image: Getty / 5m3photos

Victims of a newly discovered form of ransomware are warned not to pay the ransom demand, simply because the ransomware is not able to decrypt the files – it simply destroys them instead.

Coded in Python, Cryptonite ransomware first appeared in October as part of a free, downloadable open-source toolkit – available to anyone with the skills to deploy it in attacks against Microsoft Windows systems, phishing attacks being considered the most common. way of delivery.

But analysis of Cryptonite by Fortinet cybersecurity researchers revealed that the ransomware only has “barebones” functionality and offers no way to decrypt files even if a ransom is paid.

Also: Cybersecurity: these are the novelties to worry about in 2023

Instead, Cryptonite effectively acts as erasing malware, destroying encrypted files, leaving no way to recover the data.

But rather than being an intentionally malicious act of destruction by design, the researchers suggest that the reason Cryptonite does this is because the ransomware was put together incorrectly.

A basic design and what is described as a “lack of quality assurance” means the ransomware doesn’t work properly because a flaw in the way it was put together means that if Cryptonite crashes or is simply closed, it won’t let no way to recover encrypted files.

There is also no way to run it in decrypt-only mode. So, each time the ransomware is executed, it re-encrypts everything with a different key. This means that even if there was a way to recover the files, the unique key probably wouldn’t work, leaving no way to recover the encrypted data.

“This example shows how ransomware’s weak architecture and programming can quickly turn it into a windshield wiper that does not allow for data recovery,” said Gergely Révay, security researcher at Fortinet FortiGuard Labs.

“While we often complain about the growing sophistication of ransomware samples, we can also see that oversimplification and lack of quality assurance can also lead to significant issues,” he added.

Also: Cybersecurity Jobs: Five Ways to Help You Build Your Career

It is the victim of the ransomware attack who feels these problems, as they have no way to restore their network, even though they have paid a ransom.

The Cryptonite ransomware case is also a reminder that paying a ransom is never a guarantee that cybercriminals will provide a decryption key, or if it will work properly.

Cyber ​​agencies, including the CISA, FBI, and NCSC, advise against paying the ransom because it only serves to embolden and abet cybercriminals, especially if they can acquire ransomware at low cost or for free.

The good news is that it’s now harder for budding cybercriminals to get their hands on Cryptonite, as the original source code has been removed from GitHub.

Besides that, the simple nature of ransomware also means that it is easy for antivirus software to detect. It is therefore recommended to install and keep up-to-date anti-virus software.


Leave a Reply