Kryptina RaaS | From Underground Commodity to Open Source Threat

One of the key drivers behind the explosion in ransomware attacks over the last five years and more has been the development and proliferation of the ransomware-as-a-service model, a means of providing cybercriminals with easy to use, low cost tools with which to undertake and manage ransomware campaigns. Developers benefit from a steady stream of income from subscription sales while avoiding directly engaging in criminal acts. The recently observed Kryptina Raas, a dedicated Linux attack framework, has added a new twist to this model: moving from a paid service to an openly available tool.

In this post, we explore the development, technicalities and implications of Kryptina RaaS and its move into open-source crimeware. We dive into what defenders need to know to protect against this latest Linux ransomware and the dangers that open source threats pose to organizations.

The Development of Kryptina RaaS

The Kryptina RaaS first surfaced in December 2023 on underground forums, marketed as a lightweight, fast, and highly customizable ransomware solution for Linux systems. Authored in C, it offered an attractive proposition for cybercriminals looking for efficient ways to target the Linux servers and cloud workloads that form the backbone of many organization’s networks.

Initially, two purchase options were available: a standalone build (encryptor and decryptor) for $20, and a complete package including source code, builder, and documentation for $500. The developer quickly added new features in January including support for both 32 and 64-bit targets, an updated web interface and support for Monero (XMR) and Bitcoin (BTC) payments. The complete package price went up to $800 with the addition of these new features. This pricing strategy was indicative of the creator’s intention to cater to a wide range of actors within the cybercriminal ecosystem.

February saw a surprising turn of events as the creator, known as ‘Corlys’, published the entire source code on BreachForums, effectively removing any financial barrier to entry.

The developer’s stated reasons for releasing the source code of Kryptina were that it had failed to attract buyers. Given the short period of time between its first appearance as a paid offering and release of the open source code, some may not find this credible. Other motivations could include an attempt to build kudos within the cybercrime community, feuds with other criminals and/or fear of attention from law enforcement.

Kryptina 2.2 source code posting in BreachForums
Kryptina 2.2 source code posting in BreachForums

Whatever the motivation, the release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems. It is likely to increase the ransomware builder’s attractiveness and usability, drawing in yet more low-skilled participants to the cybercrime ecosystem. There is also significant risk that it will lead to the development of multiple spin-offs and an increase in attacks, an effect previously observed after the leak of Babuk ransomware’s source code.

Kryptina Payload | Technical Details

As noted, Kryptina is a Linux-only ransomware offering payloads for either elf64 or elf32 architectures. Upon execution, the ransomware targets the directories and files specified in the builder during the configuration stage.

The encryption process uses multiple parallel threads and depends on OpenSSL’s libcrypto library. It uses the AES256 algorithm in CVC mode. The keys and configuration data are obfuscated via XOR using a custom value defined at build time, and then base64 encoded.

File encryption is handled by the krptna_process_file() function. This initializes an OpenSSL cipher context EVP_CIPHER_CTX_new() before processing file streams via EVP_CipherUpdate() to transform unencrypted file data to the encrypted data in the output buffer. EVP_CipherFinal finalizes the processes and handles any required CBC padding.

Payloads can be configured to securely delete files before encryption, further hampering any data recovery efforts. When enabled, multiple steps are taken to overwrite individual file data and inhibit recovery. The secure_delete_file() function determines the file size using the stat function. It then creates a buffer filled with random bytes. The file to be encrypted is then opened in write mode, and the buffer of random bytes is written into the file, completely overwriting its original content, until it matches the file’s original size. Once this is achieved, the file is permanently removed using the unlink function.

“Secure deletion” in Kryptina
“Secure deletion” in Kryptina

The secure_delete_file() function utilizes a single-pass method, overwriting each byte of the file just once, avoiding using multiple overwrites with varying patterns seen in other ransomware. A single pass is generally adequate for rendering the original data unrecoverable and increases the speed of encryption.

Kryptina Web Interface & Builder

Kryptina’s architecture is built on a foundation of Python scripts for the payload builder and web server components, requiring dependencies like pycrypto, termcolor, flask, and others for full functionality. The tool’s source code is well-documented, reflecting an intent to provide Kryptina as a turnkey solution.

As noted, since its appearance Kryptina underwent several rapid revisions, with version 2.0 introducing significant enhancements including a web interface. The web server, powered by Flask, allows the user to easily view and manage campaigns, build encryptors and decryptors and to communicate with victims via the ‘Chat’ option. If the operator configures “Enable Public View” for the campaign, victims are able to initiate contact with the attacker following instructions provided in the ransom note.

Within the interface, the ‘Dashboard’ displays a quick view of attack campaigns
Within the interface, the ‘Dashboard’ displays a quick view of attack campaigns

The builder supports a wide range of command-line arguments for specifying target names, descriptions, encryption keys, directories or files to target, and more. This level of customization underscores Kryptina’s versatility and the granular control it offers to operators.

The builder can also be scripted with Python and supports the following command-line parameters.

Arg Description
-n Name of your target
-a About, A short description about your target
-k Base64-encoded 256-bit key to use (default: random)
-t Directories or files to target (comma-separated)
-i Files/extensions to ignore (comma-separated)
-e Custom extension to use (default: .krptna)
-j Max number of jobs (threads) to use (default: 20)
–arch32 Create a 32-bit binary (x86)
–xor_key The XOR key to use for encoding encrypted config data (default: 155)
–note The local file containing the encryption notice text (default: note/template.txt)
–note_name The absolute/relative filename to write encryption notice to on target
–nonote Don’t write encryption note on the target
–bitcoin Bitcoin wallet address for receiving payment
–monero Monero wallet address for receiving payment
–amount The amount to ask for in USD (default: 100.0)
–deadline The payment deadline in hours (default: 72.0)
–tox The Tox chat ID you wish to be contacted on
–session The Session chat ID you wish to be contacted on
–debug Enable debug output
–demo Create a demo payload that doesn’t actually encrypt/decrypt files
–symbols Build binary with debug symbols (-ggdb3)
–nolog Don’t log payload config to the output/ directory
–persist Disable payload self-delete
–secdel Enable secure delete when encrypting files (very slow, but makes recovery much harder)
–maxsize Maximum size of file (in megabytes) to target (default: unlimited)
–recommend Auto-set recommended values for undefined parameters
–static Build the payloads as static binaries
–verbose Print compiler commands and output

SentinelOne Protects Against Kryptina Ransomware

SentinelOne Singularity detects Kryptina payloads and protects Linux systems against Kryptina ransomware. When allowed to execute in ‘Detect Only’ mode for observation purposes, Kryptina’s malicious behavior along with indicators can be viewed in the Management console.

SentinelOne protects against Kryptina ransomware
SentinelOne protects against Kryptina ransomware

Conclusion | Navigating the Kryptina Threat to Linux Systems

The journey of Kryptina RaaS from a paid underground tool to a freely available open-source project illustrates the complexity of threats facing network defenders. As other actors iterate on the provided code, which provides everything from customizable ransomware payloads to campaign management and victim communication, it is likely that a host of Kryptina variants will proliferate in much the same way as we saw Babuk variants multiply and diversify.

As the move to cloud and cloud workloads and containers continues apace, the attractiveness of Linux as a target for cybercriminals grows with it. Powering everything from edge devices to servers, orchestration technologies like Kubernetes, and cloud infrastructure like AWS, Azure and Google Cloud, Linux systems are at the heart of modern enterprise environments, and securing them is essential.

To learn how SentinelOne can help protect the Linux systems in your organization from ransomware and other threats, contact us or request a free demo.

Indicators of Compromise

Source files

03bbfdbad1d1fd93d6c76de9a61e9cfc49e7e319
095538ff7643b0c142335c978bfe83d32a68cdac
1f08d9d0fe90d572a1bb0488ffe60e9f20c11002
226aea1e37bc2d809115ceb6ac5ea99e62d759c9
2aa6a1019c16f4142888278098f0c3263e95e446
33306b854770f95d0a164932d72bec1f78de54bf
51acdb8f29726fe7d5b6207f106e7138b564fd39
5413adf32129d50c4984e406d5a3804435d1cfc1
60b5beffaf738f5112233ed9b36975822c1f7bfc
6f3c3129fc2ac56b61fa4df21e723f3dd2aceb70
8ec866aa48a9bb8d6df7fbbe1a073390f4b0098c
d0231ce29ea7a63bea7451c42d69e93c83babb48
d41b8a7bc9bc444372e06e67585a8086d6ae8cfc
d46fbc4a57dce813574ee312001eaad0aa4e52de
ddcf4a6bc32afe94e3ea955eead9db179d5394c2
e3e8ed6ac01e6edb8d8848b1472882afb0b36f0b
f84ffe172f9d6db18320ad69fc9eade46c41e9da

Payload Samples

355d70ffe98e6f22b6c3ad8d045e025a5ff78260
63580c4b49d350cf1701fb906c94318a683ae668
63ff8359da29c3ba8352ceb4939f2a3e64987ab6
dd495839a4f4db0331c72a4483071a1cef8da17e

MITRE ATT&CK

T1014  Defense Evasion
T1059.006  Command and Scripting Interpreter: Python
T1068  Privilege Escalation
T1070.003  Indicator Removal: Clear Command History
T1070.004  Indicator Removal: File Deletion
T1070.002  Indicator Removal: Clear Linux or Mac System Logs
T1140  Deobfuscate/Decode Files or Information
T1222.002  File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
T1485  Data Destruction
T1486  Data Encrypted for Impact
T1562.001  Impair Defenses: Disable or Modify Tools
T1562.012  Impair Defenses: Disable or Modify Linux Audit System
T1573.002  Encrypted Channel: Asymmetric Cryptography

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.