Fortinet researchers studied the recently appeared Cryptonite ransomware, which was distributed free of charge on GitHub. It turned out that the creator of the malware made a mistake in the code, and the malware did not encrypt, but destroyed the data of the victims.
Unlike other ransomware, Cryptonite was not sold on the darknet, but distributed openly: it was published on GitHub by someone under the nickname CYBERDEVILZ (since then, the source code of the malware and its forks have already been removed).
The researchers say that the malware written in Python was extremely simple: it used the Fernet module to encrypt files and replaced their extension with .cryptn8. However, in the latest version of the malware, something went wrong: the Cryptonitesamplestudied by experts blocked files without the possibility of recovery, in fact, acting like a wiper (from the English to wipe – «erase», «wipe»).
The researchers say that the destructive behavior of the malvari was not foreseen by its author. Rather, this is due to its low qualifications, since errors in the code cause the program to crash when trying to display a ransom note (after the encryption process is complete).
«The problem is that due to the simplicity of the ransomware design, after the program fails (or even if it is closed), it is no longer possible to restore encrypted files,» the researchers explain.
In addition, an error that occurs during the operation of the ransomware leads to the fact that the key used to encrypt files is not transmitted to the malware operator at all. That is, access to the victim’s data is blocked completely and completely.