A once-overlooked ransomware tool has resurfaced in enterprise attacks under the guise of a more advanced strain, according to research presented by SentinelLabs at LABScon 2024.
Kryptina, a Ransomware-as-a-Service (RaaS) tool initially available for free on dark web forums, has been adopted by affiliates of the Mallox ransomware group, a well-known player in enterprise cyber-attacks.
The Kryptina platform, first released in December 2023, failed to gain traction among cybercriminals. However, in May 2024, a Mallox affiliate leaked server data, revealing the use of a modified version of Kryptina to power Linux-based ransomware attacks.
This version, referred to as “Mallox v1.0,” retains the core functionality of Kryptina while stripping its branding, signaling the commoditization of ransomware tools in the cybercrime market.
Key findings from the SentinelLabs research include:
-
The Kryptina-derived Mallox variant uses AES-256 encryption with minor changes to the original code
-
The Mallox affiliate updated Kryptina’s source code and documentation, translating it into Russian and adjusting branding but leaving encryption routines largely intact
-
The leaked data also contained configurations for various Mallox campaigns, targeting at least 14 victims
This development highlights a broader trend in the ransomware landscape, where previously abandoned or unsellable tools are repurposed by more sophisticated actors.
“The Kryptina-derived variants of Mallox are affiliate-specific and separate from other Linux variants of Mallox that have since emerged, an indication of how the ransomware landscape has evolved into a complex menagerie of cross-pollinated toolsets and non-linear codebases,” SentinelLabs explained.
The security firm added that the introduction of various codebases by individual affiliates complicates the situation, making it more challenging to track these tools and comprehend the extent of their usage and adoption.
“Looking forward, we expect to see more outlier platforms like Kryptina being absorbed into the TTPs leveraged by more advanced threat actors.”