A developer of new ransomware is selling it on underground forums as source code, researchers said.
CradleCore, as Forcepoint researchers have called it, is different from the ransomware-as-a-service (RaaS) business model. It allows users to use customizable source code.
The ransomware is provided as a C++ source code, paired with the necessary PHP web server scripts and a payment panel.
The malware emerged on several Tor-based sites two weeks ago, priced at 0.35 Bitcoin (around $400) but negotiable, Forcepoint’s Roland Dela Paz said a blog post.
Because the ransomware’s source code sells on a direct basis, there should be a hike in the amount of variants stemming from CradleCore, Dela Paz said.
Upon analysis, researchers found the malware comes with “a relatively complete feature set,” as it uses Blowfish for file encryption, features anti-sandbox defenses, supports offline encryption, and uses a Tor2Web gateway (onion.link) to communicate with its command and control (C&C) server.
After infecting a system, the ransomware proceeds to encrypt user’s files and to append the .cradle extension to them. After total infection, the malware drops a ransom note.
Some of the words used in the readme file suggest CradleCore’s author is not a professional malware developer, but a software developer who decided to take a shot at the ransomware scene, Dela Paz said.
After tracking the advertisement site for CradleCore to a clearnet site and a Linode-assigned IP address, researchers said the author might indeed be a freelance software developer. Information on the developer’s personal website led to the author’s Twitter and LinkedIn accounts, which revealed it is a C++ programmer.
However, all that Forcepoint can do at the moment is to “link the clearnet site with a freelance C++ developer and with an Onion site offering the CradleCore C++ source code for sale.” Thus, while they can provide a link between the owner of the clearnet site and the malware, they can’t attribute the ransomware to the developer, at least not “without knowledge of whether or not the Linode host itself has been compromised.”