Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Who is offering the CradleCore Ransomware as source code?

CradleCore ransomware is a malware offered in the underground as a source code, instead of the classic ransomware-as-a-service (RaaS) model. According to the experts at Forcepoint, the author is offering the malware in many Tor-based crime forums as source code allowing crooks to request a customized version of the code. The CradleCore ransomware is offered by the author as a […]

CradleCore Ransomware

CradleCore ransomware is a malware offered in the underground as a source code, instead of the classic ransomware-as-a-service (RaaS) model.

According to the experts at Forcepoint, the author is offering the malware in many Tor-based crime forums as source code allowing crooks to request a customized version of the code.

The CradleCore ransomware is offered by the author as a C++ source code along with the necessary PHP web server scripts and a payment panel, the malware goes for 0.35 Bitcoin (around $400) but the price is negotiable.

“Typically, ransomware is monetized by developers using the RaaS business model. If that doesn’t work, only then the will the developers consider selling the source code.” reads the analysis published by Forcepoint.

CradleCore is offered as a C++ source code with PHP server scripts and a payment panel. It started to be sold on a few Tor-based sites over two weeks ago for a negotiable price starting at 0.35 BTC (approximately 428 USD)”

According to the experts, this model of sale will lead to the development of new variants derived from CradleCore.

The ransomware is offered with a relatively complete feature set, it uses Blowfish for file encryption and allows offline encryption too.

The malicious code implements an anti-sandbox mechanism and communicates to command and control server via a Tor2Web gateway.

Once infected a system, the CradleCore ransomware encrypts files and to drops a ransom note on the system. When the malware encrypts the files it appends the .cradle extension to them.

CradleCore Ransomware

Experts from Forcepoint that analyzed the readme file, believe that the author of the malware is a developer without a significant experience in malware coding.

The researchers discovered more about the author by conducting further analysis on the advertisement site for CradleCore ransomware.

“While the advertisement site for CradleCore is hosted on the dark web, the site’s Apache server status page appears to be accessible to the public. The logs appeared to show that the Apache server hosting the Onion site has a second Virtual Host (VHost) hosting a clearnet website. VHosts, to those unfamiliar, allow multiple websites to be hosted on a single machine and IP address:” reads the analysis.

“The Linode-assigned IP address hosting the clearnet site appears to be exclusive-use. Essentially, this could mean either that the server is compromised and is abused to host the CradleCore website or that the clearnet website and CradleCore belong to the same owner.

Digging around the contents of that clearnet website led us to the website owner’s personal site who appears to be working as a freelance software developer. From the information available on his personal website we managed to find his Twitter and LinkedIn account where it is indicated that he is a C++ programmer.”

Of course, this means that the owner of the clearnet site that is used to sell the ransomware is linked to a freelance C++ developer, but there is no proof that he is also the coder.

Concluding Forcepoint researchers believe the ransomware may be the first project of a novice malware developer.

“CradleCore is yet another new ransomware product that is available to cybercriminals. It is being sold as source code which potentially suggests that CradleCore may be a first- or side-project of someone with limited experience of malware business models looking for extra income. It also means that anyone who purchases it will not only be able to update the ransomware but also share the source code to others,” Forcepoint says.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CradleCore ransomware, cybercrime)