The threat landscape is constantly evolving with new ransomware and malware variants being introduced regularly. FortiGuard Labs spotted a new ransomware, dubbed Cryptonite - not to be confused with the Chaos ransomware that is also known as Cryptonite. In the same thread, Cyble researchers discovered another ransomware called Punisher, targeting Chile.

Cryptonite ransomware 

Cryptonite is a free and open-source ransomware kit that can be downloaded by anyone willing to deploy it.
  • Coded in Python, the ransomware requires some level of configuration, including a Bitcoin wallet address with the ransom amount, a configurable file extension for encrypted files, and a contact email, before it is made ready for delivery. 
  • Furthermore, it requires a server to be configured and functional to receive input from the executable running on the victim’s machine for the malware to be properly operational.
  • Cryptonite is packaged using PyInstaller that contains all required files to deploy Python code on any given machine.

Punisher ransomware

A new strain of Punisher ransomware was found propagating via a COVID-19 phishing website. The ransomware is disguised on the website as a COVID-tracking app and targets Chilean users.
  • It demands $1,000 in Bitcoin for the decryptor and uses a common ransom note downloaded from a remote server. 
  • Post-infection, Punisher appends the system ID, BTC wallet address, JS codes, and victim unique identifier to the ransom notes. The JS code is used to start a timer that increases the ransom amount after a certain period.
  • The ransom note is, moreover, dropped as a shortcut file—unlock your files.lnk—in locations such as Start Menu, Startup, and Desktop. This is to ensure that the victim sees the ransom note only after they log in to their systems. 

Other ransomware to beware of

  • Recently, RansomExx ransomware got upgraded to the Rust language in an attempt to expand its attack scope. 
  • The Donut extortion group started deploying its own ransomware for double-extortion attacks. 
  • Three new ransomware families—AXLocker, Octocrypt, and Alice—were found conducting distinct, widespread attacks. 

The bottom line

Threat actors are adopting a multitude of techniques to spread infection and increase the impact of the attacks. While Cryptonite has been attacking corporate networks, Punisher targets individuals. Researchers, however, recommend never paying the ransom.
Cyware Publisher