Kryptina Ransomware
Kryptina Ransomware-as-a-Service (RaaS)
Kryptina is a Ransomware-as-a-Service (RaaS) that was identified in December 2024, designed to target Linux systems. The ransomware was observed in underground forums and promoted as a lightweight but fast solution. It was available for buyers with the standalone price being USD 20, and the full source code and builder, plus the documentation, being USD 500.
The source code for Kryptina RaaS can be found here.
Development and Features
The developer, known as ‘Corlys’, updated the features in January 2024 to include:
- 32-bit and 64-bit support
- An updated web interface
- Payment options for Bitcoin and Monero
The price of the package rose to USD 800. By February, Corlys had released the whole source code onto BreachForums. The cause, according to Corlys, was a lack of buyer interest, but the quick transition from a paid model to open source called that explanation into question.
Technical Details
The ransomware offers payloads for both ELF64 and ELF32 formats. After execution, it targets files specified within its configuration when the payload is built using the builder. The encryption process is multi-threaded and uses OpenSSL’s libcrypto library, employing the AES256 algorithm in CMC mode. Keys and configuration data are obfuscated with XOR using a custom value set at build time and are base64 encoded.
File Encryption Process
The file encryption process is managed by the krptna_process_file() function. It initializes an OpenSSL cipher context with the EVP_CIPHER_CTX_new() function, processes file streams using the EVP_CipherUpdate() function, and finalizes the encryption with EVP_CipherFinal, which handles any necessary CBC padding.
File Deletion
Kryptina can also be configured to delete files before encryption, complicating data recovery. The secure_delete_file() function overwrites file data with random bytes in a single pass before removing the file using the unlink function.
Builder and Web Server
Kryptina uses Python scripts for its payload builder and web server components and requires dependencies like pycrypto, termcolor, and flask. The source code is well-documented, indicating the intention to offer the RaaS as a turnkey solution.
Since its release, the ransomware has undergone many revisions. Version 2.0 introduced a web interface powered by Flask. The interface allowed users to manage campaigns, build encryptors and decryptors, and communicate with victims via a ‘Chat’ option. If the ‘Enable Public View’ setting is configured, victims can contact the attacker through instructions in the ransom note.
Builder Customization
The builder supports various command-line arguments, allowing operators to specify target names, encryption/decryption keys, and directories or files to target. This customization gives the operators granular control.
Evolution of Kryptina in Enterprise Attacks
On 23 September 2024, SentinelOne released an article detailing how Kryptina evolved from a free tool on public forums to being actively used in enterprise attacks, particularly under the Mallox/FARGO ransomware family.
Mallox/FARGO Ransomware Family
In May 2024, a Mallox affiliate had their staging server data breached, revealing that their Linux ransomware was based on modifications of Kryptina. The affiliate made superficial modifications to the source code and documentation to remove the Kryptina branding while retaining all its core functionality. This Linux variant was referred to by the affiliate threat actor as “Mallox v1.0”.
Mallox (aka TargetCompany) ransomware is an enterprise-focused RaaS. The family was identified in 2021 and is sometimes referred to as FARGO, XOLLAM, or BOZON due to the extension appended to encrypted files in some variants. Mallox operators are known to target “timely” vulnerabilities, including MSSQL Server.
Discovery of Staging Server
In May 2024, an open directory containing staged payloads along with Mallox builder tools and source code was discovered. The staging server was taken down by the Mallox affiliate, but the server hosted at 185[.]73.125[.]6 contained numerous archives and payloads specific to the Windows version of Mallox. However, the server also contained all the modified source files for Kryptina, including an accessible web server and interface for building Mallox Linux (Kryptina) payloads and managing separate infection campaigns.
The use of Kryptina by the affiliate appears to be singular; other Linux variants of Mallox are not based on Kryptina, complicating the relationship between Kryptina and Mallox.
Technical Details of “Mallox Linux 1.0”
The encryption and decryption routines in “Mallox Linux 1.0” are identical to the original Kryptina, except for the Kryptina database. The Kryptina branding had been stripped from most of the source and support files for “Mallox Linux 1.0”. Documentation for the Kryptina-derived Mallox variations is included, though it’s a distilled version of the original Kryptina documentation. The original Kryptina PDF had been slimmed down and included as docs.md.
Documentation and Setup
The updated Mallox Linux 1.0 documentation contained sections covering basic features and information on how to set up the environment and its dependencies, including the setup of phpMyAdmin and the backend MySQL. The affiliate made a few changes to the Kryptina source files to remove references to Kryptina and associate the comments and naming conventions with those of Mallox. Ransom note templates were structured similarly to the original Kryptina version. The \note folder on the server contained the template source, which can be customized directly or using the Kryptina web UI. The template for the ransom note was updated to remove the “Kryptina 2.x” references, replacing them with “Mallox v1.0”.
Source Files and Automation
The main source files for “Mallox 1.0” were held in the /src folder of the affiliate server. The original names of the encryptor and decryptor source files, kryptina.c and kryptina.h, retained the Kryptina-centric names. The only operational change to the Kryptina encrypter code was updating the printed output to say “Mallox” instead of Kryptina, and removing references to the Kryptina author Corlys.
The original scripting_demo.py file provided threat actors with a way to build Linux payloads using the command line, allowing for automated builds. While these scripted builds are not reflected in the web UI, they can be a valuable tool for a threat actor wanting to streamline the automation of new builds over time. The scripting_demo.py file had been minimally updated to reflect Mallox branding over Kryptina.
| Arg | Description |
|---|---|
| -n | Name of your target |
| -a | About, A short description about your target |
| -k | Base64-encoded 256-bit key to use (default: random) |
| -t | Directories or files to target (comma-separated) |
| -i | Files/extensions to ignore (comma-separated) |
| -e | Custom extension to use (default: .krptna) |
| -j | Max number of jobs (threads) to use (default: 20) |
| –arch32 | Create a 32-bit binary (x86) |
| –xor_key | The XOR key to use for encoding encrypted config data (default: 155) |
| –note | The local file containing the encryption notice text (default: note/template.txt) |
| –note_name | The absolute/relative filename to write encryption notice to on target |
| –nonote | Don’t write encryption note on the target |
| –bitcoin | Bitcoin wallet address for receiving payment |
| –monero | Monero wallet address for receiving payment |
| –amount | The amount to ask for in USD (default: 100.0) |
| –deadline | The payment deadline in hours (default: 72.0) |
| –tox | The Tox chat ID you wish to be contacted on |
| –session | The Session chat ID you wish to be contacted on |
| –debug | Enable debug output |
| –demo | Create a demo payload that doesn’t actually encrypt/decrypt files |
| –symbols | Build binary with debug symbols (-ggdb3) |
| –nolog | Don’t log payload config to the output/ directory |
| –persist | Disable payload self-delete |
| –secdel | Enable secure delete when encrypting files (very slow, but makes recovery much harder) |
| –maxsize | Maximum size of file (in megabytes) to target (default: unlimited) |
| –recommend | Auto-set recommended values for undefined parameters |
| –static | Build the payloads as static binaries |
| –verbose | Print compiler commands and output |
Output Directory Structure
In the \output directory, sub-directories exist for each target. Some of these folders also contained config.json files (builder configuration) alongside the matching encryptor/decryptor binary pairs. Each of the config files contains values for all the fields required in the builder scripts, including payment types and addresses.
Configuration Details
Seven of the victim folders contained corresponding config.json files and complied with encryptor and decryptor tools. All of the targets were configured with the same BTC payment address: 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3. Other values were repeated across the campaigns as well, including the extension .lmallox.
| SHA1 Hash | Bitcoin | Extension | Key | Amount |
|---|---|---|---|---|
| fbb89744bc9f65719bd5415dcf1ec9a74b24254e | 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3 | .lmallox | smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= | 500.0 |
| 55dc4541b72a804a7edf324d6a388569a68a2986 | 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3 | .lmallox | smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= | 500.0 |
| 78c27c7ac1da97dc822b4af7be5f15d68f9c5e4f | 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3 | .lmallox | smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= | 500.0 |
| d94f890a8c92cbce50d89da2792bcfc24894c004 | 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3 | .lmallox | smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= | 500.0 |
| 16ec82ac2caf0c2e4812a636dbff4bd8ef84d5c3 | 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3 | .lmallox | smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= | 500.0 |
| 66cab82b64fbb03fecf7ca7f9ed295404a9bfe2b | 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3 | .lmallox | smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= | 500.0 |
| 0bbd9a8ddbb68e2658ea4c0a4106c7406a392098 | 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3 | .lmallox | smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= | 500.0 |