Pulse Detail — Threat Intelligence

PULSE NAME

Kryptina RaaS - From Unsellable Cast-Off to Enterprise Ransomware

WHITE Mallox AlienVault 2024-09-24 Modified: 2024-10-24

IOCs

HIGH VOLUME

This analysis examines the evolution of Kryptina, a ransomware-as-a-service platform, from a free tool on public forums to being actively used in enterprise attacks under the Mallox ransomware family. In May 2024, a Mallox affiliate leaked staging server data, revealing their Linux ransomware was based on a modified version of Kryptina. The affiliate made superficial changes to source code and documentation, removing Kryptina branding but retaining core functionality. This adoption exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants. The report details the similarities and differences between the original Kryptina RaaS and the modified Mallox version, including encryption methods, ransom note templates, and configuration files.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1204.002 T1190 T1505.003 T1588.001 T1059.001 T1588.002 T1059.004 T1078 T1027 T1486

MALWARE FAMILIES

Kryptina Mallox

Indicators of Compromise (75)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 CVE domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	71efe7a21da183c407682261612afc0f	—	2024-09-24
FileHash-SHA1	0f1aea2cf0c9f2de55d2b920618a5948c5e5e119	—	2024-09-24
FileHash-SHA256	45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d	—	2024-09-24
CVE	CVE-2024-21338	—	2024-09-24
FileHash-MD5	1448ce8abc2f0184ec898d55f9c338b4	—	2024-09-24
FileHash-MD5	193d2c42fea21defedbce498b5039272	—	2024-09-24
FileHash-MD5	231478ff24055d5cdb5fbec36060c8ff	—	2024-09-24
FileHash-MD5	4825f3a92780be4a285583b0f24fed99	—	2024-09-24
FileHash-MD5	51d51696c7f3a0e3fba4b8ceab210bac	—	2024-09-24
FileHash-MD5	5b0c1958a875c205951b88fd1c885900	—	2024-09-24
FileHash-MD5	68785d476573955d50a3908dc18bf73b	—	2024-09-24
FileHash-MD5	6bb2752ea73b4d6a5c33f543b5c29461	—	2024-09-24
FileHash-MD5	779aa15cd6a8d416e7f722331d87f47b	—	2024-09-24
FileHash-MD5	7f099845d8e6849d6ab4d64b546477d6	—	2024-09-24
FileHash-MD5	846bb4f2cdbf9ed624ba2647c6b04101	—	2024-09-24
FileHash-MD5	8d0fd41d35df82d3e7e2ff5c1747b87c	—	2024-09-24
FileHash-MD5	af1d24091758f1e02d51dc5f5297c932	—	2024-09-24
FileHash-MD5	b0770b7f24a436d256f2d58fc8581a18	—	2024-09-24
FileHash-MD5	b5b20e03ae941e9f21c444bd50225c41	—	2024-09-24
FileHash-MD5	be08c3e95df5992903a69e04cbab22e3	—	2024-09-24
FileHash-MD5	e9e087c52b97c7a3e343642379829e0a	—	2024-09-24
FileHash-SHA1	0b9d2895d29f7d553e5613266c2319e10afdda78	—	2024-09-24
FileHash-SHA1	0bbd9a8ddbb68e2658ea4c0a4106c7406a392098	—	2024-09-24
FileHash-SHA1	0de92527430dc0794694787678294509964422e6	—	2024-09-24
FileHash-SHA1	0e83d023b9f6c34ab029206f1f11b3457171a30a	—	2024-09-24
FileHash-SHA1	0f632f8e59b8c8b99241d0fd5ff802f31a3650cd	—	2024-09-24
FileHash-SHA1	1379a1b08f938f9a53082150d53efadb2ad37ae5	—	2024-09-24
FileHash-SHA1	16ec82ac2caf0c2e4812a636dbff4bd8ef84d5c3	—	2024-09-24
FileHash-SHA1	21bacf8daa45717e87a39842ec33ad61d9d79cfe	—	2024-09-24
FileHash-SHA1	262497702d6b7f7d4af73a90cb7d0e930f9ec355	—	2024-09-24
FileHash-SHA1	29936b1aa952a89905bf0f7b7053515fd72d8c5c	—	2024-09-24
FileHash-SHA1	2b3fc20c4521848f33edcf55ed3d508811c42861	—	2024-09-24
FileHash-SHA1	341552a8650d2bdad5f3ec12e333e3153172ee66	—	2024-09-24
FileHash-SHA1	43377911601247920dc15e9b22eda4c57cb9e743	—	2024-09-24
FileHash-SHA1	55dc4541b72a804a7edf324d6a388569a68a2986	—	2024-09-24
FileHash-SHA1	58552820ba2271e5c3a76b30bd3a07144232b9b3	—	2024-09-24
FileHash-SHA1	5cf67c0a1fa06101232437bee5111fefcd8e2df4	—	2024-09-24
FileHash-SHA1	66cab82b64fbb03fecf7ca7f9ed295404a9bfe2b	—	2024-09-24
FileHash-SHA1	78c27c7ac1da97dc822b4af7be5f15d68f9c5e4f	—	2024-09-24
FileHash-SHA1	88a039be03abc7305db724079e1a85810088f900	—	2024-09-24
FileHash-SHA1	9050419cbecc88be7a06ea823e270db16f47c1ea	—	2024-09-24
FileHash-SHA1	93ef3578f9c3db304a979b0d9d36234396ec6ac9	—	2024-09-24
FileHash-SHA1	a1a8922702ffa8c74aba9782cca90c939dfb15bf	—	2024-09-24
FileHash-SHA1	b07c725edb65a879d392cd961b4cb6a876e40e2d	—	2024-09-24
FileHash-SHA1	b27d291596cc890d283e0d3a3e08907c47e3d1cc	—	2024-09-24
FileHash-SHA1	b768ba3e6e03a77004539ae999bb2ae7b1f12c62	—	2024-09-24
FileHash-SHA1	c20e8d536804cf97584eec93d9a89c09541155bc	—	2024-09-24
FileHash-SHA1	c4d988135e960e88e7acfae79a45c20e100984b6	—	2024-09-24
FileHash-SHA1	d46fbc4a57dce813574ee312001eaad0aa4e52de	—	2024-09-24
FileHash-SHA1	d618a9655985c33e69a4713ebe39d473a4d58cde	—	2024-09-24
FileHash-SHA1	d94f890a8c92cbce50d89da2792bcfc24894c004	—	2024-09-24
FileHash-SHA1	dc3f98dded6c1f1e363db6752c512e01ac9433f3	—	2024-09-24
FileHash-SHA1	ee3cd3a749f5146cf6d4b36ee87913c51b9bfe93	—	2024-09-24
FileHash-SHA1	ef2565c789316612d8103056cec25f77674d78d1	—	2024-09-24
FileHash-SHA1	f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc	—	2024-09-24
FileHash-SHA1	fbb89744bc9f65719bd5415dcf1ec9a74b24254e	—	2024-09-24
FileHash-SHA256	175e20a7c8d54bfa6271de9d550c25c21e1c91aaf39aaa80779389fc8600d53f	—	2024-09-24
FileHash-SHA256	23ba8078df63ebb313f2f2a2f24dab840e068ddd5cc54bb661db7d010954d2fc	—	2024-09-24
FileHash-SHA256	2fdaee89b426fa3ee00f3e8d10ebf23f1de1562746e5ba2ee606443572190610	—	2024-09-24
FileHash-SHA256	3b1b1beacd0925dcb27675c45f50574921181c097ab8004d18bc116e5a99bde0	—	2024-09-24
FileHash-SHA256	694eeec46cfe1b7acd54cf95b307416be984a5238b3059cc3af446e74e28d889	—	2024-09-24
FileHash-SHA256	9195ad1b5c2d4b20b12958224c6913b6a7929c3c4d2648a552aa7dc92da9143b	—	2024-09-24
FileHash-SHA256	9f4c40c0d52291334d90455a64106f920ede3bda5c3f7d00b0933032b0f208d8	—	2024-09-24
FileHash-SHA256	b7776fc59166d0fdafa0ff7ab867049512226b0d7302a3acd9532ab05e58d44b	—	2024-09-24
FileHash-SHA256	c23c25621872ef6a5f6a04dc1caf283a5efb3e046f6f721e96f661d28e3e6280	—	2024-09-24
FileHash-SHA256	c714df0154f2b6fc8a82aa35281836c664bd3fbf4be3efc7e8b5b94ac87fc0a6	—	2024-09-24
FileHash-SHA256	cd0f87f7df534b0e29b2ffa5d02cdef0d7db29a67a316e143554eb1945d75e6c	—	2024-09-24
FileHash-SHA256	e52a8d0337bae656b01cb76c03975ac3d75ac4984c028ba2a6531396dea6dddd	—	2024-09-24
FileHash-SHA256	e6d4e65c45700dcedd2b5ed73734328500b5f5a016d79440d3611092475b9e6e	—	2024-09-24
FileHash-SHA256	e9b9f425fa818899070f69d09d3a35d7ccc88de6ac98b2c8b02116f1b314bc78	—	2024-09-24
FileHash-SHA256	ec1b3e6440b0fe1523295479fb18660aaac2f9f13a72145feebe07d60c2d9197	—	2024-09-24
FileHash-SHA256	f4b64976d7dcb04466f0a89d81cd2eb158158c752c042ec248549415799965bf	—	2024-09-24
FileHash-SHA256	ff5e8c23e622bdaf6fd608691e6c3da298b0bfe867b0d8d84d37d991b75a237c	—	2024-09-24
domain	docs.md	—	2024-09-24
hostname	grovik71.theweb.place	—	2024-09-24

References (1)

↗ https://www.sentinelone.com/labs/kryptina-raas-from-unsellable-cast-off-to-enterprise-ransomware/