The author of a new piece of ransomware is selling their creation on underground forums as source code, Forcepoint security researchers have discovered.
Dubbed CradleCore, the threat breaks from the ransomware-as-a-service (RaaS) business model that many miscreants have adopted lately, and allows “customers” to take advantage of customizable source code.
The ransomware is provided as a C++ source code, paired with the necessary PHP web server scripts and a payment panel. According to Forcepoint, the malware emerged on several Tor-based sites some two weeks ago, priced at 0.35 Bitcoin (around $400) but negotiable.
Because the ransomware’s source code is sold directly, the security company expects an increase in the number of variants stemming from CradleCore.
Upon analysis, the security researchers discovered that the malware comes with “a relatively complete feature set,” as it uses Blowfish for file encryption, features anti-sandbox defenses, supports offline encryption, and uses a Tor2Web gateway (onion.link) to communicate with its command and control (C&C) server.
After infecting a system, the ransomware proceeds to encrypt user’s files and to append the .cradle extension to them. When the encryption has been completed, the malware drops a ransom note.
According to Forcepoint, some of the words used in the readme file suggest that CradleCore’s author is not a professional malware developer, but a software developer who decided to take a shot at the ransomware scene.
After tracking the advertisement site for CradleCore to a clearnet site and a Linode-assigned IP address, the security researchers concluded that the author might indeed be a freelance software developer. Information on the developer’s personal website led to the author’s Twitter and LinkedIn accounts, which revealed that it is a C++ programmer.
However, all that Forcepoint can do at the moment is to “link the clearnet site with a freelance C++ developer and with an Onion site offering the CradleCore C++ source code for sale.” Thus, while they can provide a link between the owner of the clearnet site and the malware, they can’t attribute the ransomware to said developer, at least not “without knowledge of whether or not the Linode host itself has been compromised.”
“CradleCore is yet another new ransomware product that is available to cybercriminals. It is being sold as source code which potentially suggests that CradleCore may be a first- or side-project of someone with limited experience of malware business models looking for extra income. It also means that anyone who purchases it will not only be able to update the ransomware but also share the source code to others,” Forcepoint says.

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
