Forcepoint security experts have discovered that the creator of the CradleCore ransomware is selling their product on underground forums as a source code.
CradleCore is available via the popular lately Ransomware-as-a-Service (RaaS) model which allows cybercriminal wannabes to use customizable source code in exchange for payment. Forcepoint says that CradleCore has been spotted on a couple of Tor-based websites two weeks ago, prices at 0.35 Bitcoins ($400).
The ransomware is offered as a C++ source code together with the needed payment panel and PHP web server scripts. As the ransomware is being sold directly to “customers”, the security company expects a variety of different variants derived from CradleCore as a result.
Moreover, after a thorough analysis, the security experts also concluded that the malware offers “a relatively complete feature set”. It uses Blowfish for the file-encrypting process as well as supports offline encryption. Aside from that, it features anti-sandbox defenses and relies on a Tor2Web gateway (onion.link) to communicate with its Command and Control server.
Once CradleCore is on the infected machine, it locates the victim`s files and appends the “.cradle” extension. After that, unsurprisingly, the ransomware drops its ransom note. Based on the text in the ransom note, the Forcepoint team has a reason to believe that the CradleCore`s creator is not a professional malware developer. In fact, it is possible that he is just a software developer who decided to give the ransomware “business” a try.
The researchers managed to track the CradleCore advertisement site to a clearnet site and a Linode-assigned IP address which only supported the idea of the creator being a freelance software developer. Moreover, the experts also found the author`s Twitter and LinkedIn accounts and that finally proved that he is a C++ programmer.
However, the company says that all they can do for now is “link the clearnet site with a freelance C++ developer and with an Onion site offering the CradleCore C++ source code for sale.” And even though they were able to find a connection between the owner of the cleartnet and the ransomware, at this point, they cannot attribute CradleCore to said owner “without knowledge of whether or not the Linode host itself has been compromised.”
“CradleCore is yet another new ransomware product that is available to cybercriminals. It is being sold as source code which potentially suggests that CradleCore may be a first- or side-project of someone with limited experience of malware business models looking for extra income. It also means that anyone who purchases it will not only be able to update the ransomware but also share the source code to others.” – says Forcepoint.