Cryptonite Ransomware

The Cryptonite Ransomware threat may not be entirely unique - infosec researchers have confirmed that it is a variant of the Chaos Ransomware, but that doesn't make it any less threatening. Once executed on the infected computers, the threat will run a strong encryption routine that will turn most of the data stored there into an inaccessible and unusable state. Files, such as documents, PDFs, images, photos, archives, databases, and many more will be impacted and restoration without knowing the correct decryption keys would be practically impossible.

Unlike most ransomware threats, Cryptonite doesn't use a consistent character string to mark the files it encrypts. Instead, it will generate a different 4-character string and append it to the original file names. The desktop background of the breached devices will be substituted with a new one containing a brief message in French. The ransom note dropped by the threat as a text file named 'lisezmoi.txt.' also will be written entirely in French.

Translating Cryptonite's ransom-demanding message reveals that its operators are trying to extort 0.51 BTC (Bitcoins) from their victims. According to the note, the ransom should be equal to $13,457.65 exactly, but this is no longer accurate. Due to the highly volatile nature of the cryptocurrency, at the current exchange rate, the ransom is worth $10,500 approximately.

The ransom note warns the victims of the threat that they have 24 hours to send the money to the provided crypto-wallet address. If they take longer than that, they will begin losing 2 encrypted files every 24 hours. Furthermore, after 7 days, the size of the ransom will be increased to $16,000. A single email address - 'decrypt5058@proton.me,' is the only provided way to establish communication with the cybercriminals.

The full text of the note in Frech is:

'Tous Vos fichiers ont été cryptés, Votre ordinateur à été infecté par le virus CRYPTONITE et vous ne serez pas capable de décryptés vos fichiers sans la clé de décryptage.

Pour obtenir la clé de décryptage de vos fichiers et supprimer le virus veuillez nous contacter sur notre adresse emails ci-dessous.

Contact: decrypt5058@proton.me

Vous devez payer une rançon et cette rançon ne peut être payée que en bitcoin à l'adresse indiqué ci-dessous.

Montant: 13457,65$ = 0.51 btc
Adresse: 17CqMQFeuB3NTzJ2X28tfRmWaPyPQgvoHV

Chaque 24h deux fichiers seront sélectionner et supprimer au hasard, après 7j la rançon passe de 13457,65$ à 16000$

Chaque fichier que vous éssayerez de décrypter sans la clé endommagera le fichier et vous le perdrez à jamais.'