Cryptonite and Punisher - An Analysis of New Ransomware

Cryptonite ransomware 

• Coded in Python, the ransomware requires some level of configuration, including a Bitcoin wallet address with the ransom amount, a configurable file extension for encrypted files, and a contact email, before it is made ready for delivery. 
• Furthermore, it requires a server to be configured and functional to receive input from the executable running on the victim’s machine for the malware to be properly operational.
• Cryptonite is packaged using PyInstaller that contains all required files to deploy Python code on any given machine.

Punisher ransomware

• It demands $1,000 in Bitcoin for the decryptor and uses a common ransom note downloaded from a remote server. 
• Post-infection, Punisher appends the system ID, BTC wallet address, JS codes, and victim unique identifier to the ransom notes. The JS code is used to start a timer that increases the ransom amount after a certain period.
• The ransom note is, moreover, dropped as a shortcut file—unlock your files.lnk—in locations such as Start Menu, Startup, and Desktop. This is to ensure that the victim sees the ransom note only after they log in to their systems. 

Other ransomware to beware of

• Recently, RansomExx ransomware got upgraded to the Rust language in an attempt to expand its attack scope. 
• The Donut extortion group started deploying its own ransomware for double-extortion attacks. 
• Three new ransomware families—AXLocker, Octocrypt, and Alice—were found conducting distinct, widespread attacks. 

The bottom line