Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

CradleCore Ransomware Sold as Source Code

The author of a new piece of ransomware is selling their creation on underground forums as source code, Forcepoint security researchers have discovered.

The author of a new piece of ransomware is selling their creation on underground forums as source code, Forcepoint security researchers have discovered.

Dubbed CradleCore, the threat breaks from the ransomware-as-a-service (RaaS) business model that many miscreants have adopted lately, and allows “customers” to take advantage of customizable source code.

The ransomware is provided as a C++ source code, paired with the necessary PHP web server scripts and a payment panel. According to Forcepoint, the malware emerged on several Tor-based sites some two weeks ago, priced at 0.35 Bitcoin (around $400) but negotiable.

Because the ransomware’s source code is sold directly, the security company expects an increase in the number of variants stemming from CradleCore.

Upon analysis, the security researchers discovered that the malware comes with “a relatively complete feature set,” as it uses Blowfish for file encryption, features anti-sandbox defenses, supports offline encryption, and uses a Tor2Web gateway (onion.link) to communicate with its command and control (C&C) server.

After infecting a system, the ransomware proceeds to encrypt user’s files and to append the .cradle extension to them. When the encryption has been completed, the malware drops a ransom note.

According to Forcepoint, some of the words used in the readme file suggest that CradleCore’s author is not a professional malware developer, but a software developer who decided to take a shot at the ransomware scene.

After tracking the advertisement site for CradleCore to a clearnet site and a Linode-assigned IP address, the security researchers concluded that the author might indeed be a freelance software developer. Information on the developer’s personal website led to the author’s Twitter and LinkedIn accounts, which revealed that it is a C++ programmer.

However, all that Forcepoint can do at the moment is to “link the clearnet site with a freelance C++ developer and with an Onion site offering the CradleCore C++ source code for sale.” Thus, while they can provide a link between the owner of the clearnet site and the malware, they can’t attribute the ransomware to said developer, at least not “without knowledge of whether or not the Linode host itself has been compromised.”

“CradleCore is yet another new ransomware product that is available to cybercriminals. It is being sold as source code which potentially suggests that CradleCore may be a first- or side-project of someone with limited experience of malware business models looking for extra income. It also means that anyone who purchases it will not only be able to update the ransomware but also share the source code to others,” Forcepoint says.

Related: New Unlock26 Ransomware and RaaS Portal Discovered

Related: Sage 2.0 Ransomware Demands $2,000 Ransom

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.