Kryptina RaaS | From Underground Commodity to Open Source Threat

One of the key drivers behind the explosion in ransomware attacks over the last five years and more has been the development and proliferation of the ransomware-as-a-service model, a means of providing cybercriminals with easy to use, low cost tools with which to undertake and manage ransomware campaigns. Developers benefit from a steady stream of income from subscription sales while avoiding directly engaging in criminal acts. The recently observed Kryptina Raas, a dedicated Linux attack framework, has added a new twist to this model: moving from a paid service to an openly available tool.

In this post, we explore the development, technicalities and implications of Kryptina RaaS and its move into open-source crimeware. We dive into what defenders need to know to protect against this latest Linux ransomware and the dangers that open source threats pose to organizations.

The Development of Kryptina RaaS

The Kryptina RaaS first surfaced in December 2023 on underground forums, marketed as a lightweight, fast, and highly customizable ransomware solution for Linux systems. Authored in C, it offered an attractive proposition for cybercriminals looking for efficient ways to target the Linux servers and cloud workloads that form the backbone of many organization’s networks.

Initially, two purchase options were available: a standalone build (encryptor and decryptor) for $20, and a complete package including source code, builder, and documentation for $500. The developer quickly added new features in January including support for both 32 and 64-bit targets, an updated web interface and support for Monero (XMR) and Bitcoin (BTC) payments. The complete package price went up to $800 with the addition of these new features. This pricing strategy was indicative of the creator’s intention to cater to a wide range of actors within the cybercriminal ecosystem.

February saw a surprising turn of events as the creator, known as ‘Corlys’, published the entire source code on BreachForums, effectively removing any financial barrier to entry.

The developer’s stated reasons for releasing the source code of Kryptina were that it had failed to attract buyers. Given the short period of time between its first appearance as a paid offering and release of the open source code, some may not find this credible. Other motivations could include an attempt to build kudos within the cybercrime community, feuds with other criminals and/or fear of attention from law enforcement.

Kryptina 2.2 source code posting in BreachForums

Whatever the motivation, the release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems. It is likely to increase the ransomware builder’s attractiveness and usability, drawing in yet more low-skilled participants to the cybercrime ecosystem. There is also significant risk that it will lead to the development of multiple spin-offs and an increase in attacks, an effect previously observed after the leak of Babuk ransomware’s source code.

Kryptina Payload | Technical Details

As noted, Kryptina is a Linux-only ransomware offering payloads for either elf64 or elf32 architectures. Upon execution, the ransomware targets the directories and files specified in the builder during the configuration stage.

The encryption process uses multiple parallel threads and depends on OpenSSL’s libcrypto library. It uses the AES256 algorithm in CVC mode. The keys and configuration data are obfuscated via XOR using a custom value defined at build time, and then base64 encoded.

File encryption is handled by the krptna_process_file() function. This initializes an OpenSSL cipher context EVP_CIPHER_CTX_new() before processing file streams via EVP_CipherUpdate() to transform unencrypted file data to the encrypted data in the output buffer. EVP_CipherFinal finalizes the processes and handles any required CBC padding.

Payloads can be configured to securely delete files before encryption, further hampering any data recovery efforts. When enabled, multiple steps are taken to overwrite individual file data and inhibit recovery. The secure_delete_file() function determines the file size using the stat function. It then creates a buffer filled with random bytes. The file to be encrypted is then opened in write mode, and the buffer of random bytes is written into the file, completely overwriting its original content, until it matches the file’s original size. Once this is achieved, the file is permanently removed using the unlink function.

“Secure deletion” in Kryptina

The secure_delete_file() function utilizes a single-pass method, overwriting each byte of the file just once, avoiding using multiple overwrites with varying patterns seen in other ransomware. A single pass is generally adequate for rendering the original data unrecoverable and increases the speed of encryption.

Kryptina Web Interface & Builder

Kryptina’s architecture is built on a foundation of Python scripts for the payload builder and web server components, requiring dependencies like pycrypto, termcolor, flask, and others for full functionality. The tool’s source code is well-documented, reflecting an intent to provide Kryptina as a turnkey solution.

As noted, since its appearance Kryptina underwent several rapid revisions, with version 2.0 introducing significant enhancements including a web interface. The web server, powered by Flask, allows the user to easily view and manage campaigns, build encryptors and decryptors and to communicate with victims via the ‘Chat’ option. If the operator configures “Enable Public View” for the campaign, victims are able to initiate contact with the attacker following instructions provided in the ransom note.

Within the interface, the ‘Dashboard’ displays a quick view of attack campaigns

The builder supports a wide range of command-line arguments for specifying target names, descriptions, encryption keys, directories or files to target, and more. This level of customization underscores Kryptina’s versatility and the granular control it offers to operators.

The builder can also be scripted with Python and supports the following command-line parameters.


Name of your target

About, A short description about your target

Base64-encoded 256-bit key to use (default: random)

Directories or files to target (comma-separated)

Files/extensions to ignore (comma-separated)

Custom extension to use (default: .krptna)

Max number of jobs (threads) to use (default: 20)

Create a 32-bit binary (x86)

The XOR key to use for encoding encrypted config data (default: 155)

The local file containing the encryption notice text (default: note/template.txt)

The absolute/relative filename to write encryption notice to on target

Don’t write encryption note on the target

Bitcoin wallet address for receiving payment

Monero wallet address for receiving payment

The amount to ask for in USD (default: 100.0)

The payment deadline in hours (default: 72.0)

The Tox chat ID you wish to be contacted on

The Session chat ID you wish to be contacted on

Enable debug output

Create a demo payload that doesn’t actually encrypt/decrypt files

Build binary with debug symbols (-ggdb3)

Don’t log payload config to the output/ directory

Disable payload self-delete

Enable secure delete when encrypting files (very slow, but makes recovery much harder)

Maximum size of file (in megabytes) to target (default: unlimited)

Auto-set recommended values for undefined parameters

Build the payloads as static binaries

Print compiler commands and output

SentinelOne Protects Against Kryptina Ransomware

SentinelOne Singularity detects Kryptina payloads and protects Linux systems against Kryptina ransomware. When allowed to execute in ‘Detect Only’ mode for observation purposes, Kryptina’s malicious behavior along with indicators can be viewed in the Management console.

SentinelOne protects against Kryptina ransomware

Conclusion | Navigating the Kryptina Threat to Linux Systems

The journey of Kryptina RaaS from a paid underground tool to a freely available open-source project illustrates the complexity of threats facing network defenders. As other actors iterate on the provided code, which provides everything from customizable ransomware payloads to campaign management and victim communication, it is likely that a host of Kryptina variants will proliferate in much the same way as we saw Babuk variants multiply and diversify.

As the move to cloud and cloud workloads and containers continues apace, the attractiveness of Linux as a target for cybercriminals grows with it. Powering everything from edge devices to servers, orchestration technologies like Kubernetes, and cloud infrastructure like AWS, Azure and Google Cloud, Linux systems are at the heart of modern enterprise environments, and securing them is essential.

To learn how SentinelOne can help protect the Linux systems in your organization from ransomware and other threats, contact us or request a free demo.

Indicators of Compromise

Source files


Payload Samples



T1014  Defense Evasion
T1059.006  Command and Scripting Interpreter: Python
T1068  Privilege Escalation
T1070.003  Indicator Removal: Clear Command History
T1070.004  Indicator Removal: File Deletion
T1070.002  Indicator Removal: Clear Linux or Mac System Logs
T1140  Deobfuscate/Decode Files or Information
T1222.002  File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
T1485  Data Destruction
T1486  Data Encrypted for Impact
T1562.001  Impair Defenses: Disable or Modify Tools
T1562.012  Impair Defenses: Disable or Modify Linux Audit System
T1573.002  Encrypted Channel: Asymmetric Cryptography

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

Leave a Comment

Your email address will not be published. Required fields are marked *