New Ransomware Strain Sets Sights on Cryptocurrency Users
New programming languages often have fewer security measures and less mature detection mechanisms than well-established ones. Threat Actors (TAs) often attempt to bypass traditional security defenses and avoid detection by using a less-known programming language.
NIM, a programming language specifically created for efficient execution and superior performance, has recently caught the attention of malware developers due to its unique novelty. One of the key reasons for this interest is NIM’s ability to offer cross-platform support, enabling the compilation of code into executable files suitable for both Windows and Linux operating systems.
Previously, the Dark Power ransomware group utilized the NIM programming language to create ransomware variants that can encrypt victims’ files while deliberately excluding critical system files. Moreover, the malware possessed the capability to clear logs and generate a ransom note within each infected folder.
Cyble Research and Intelligence Labs (CRIL) recently encountered a novel strain of ransomware named “Kanti.” This particular ransomware variant earned its name by modifying the encrypted file extension to “.kanti” and dropping a ransom note named “Kanti.html” after the encryption process. This ransomware specifically targets cryptocurrency users, as it employs file names associated with crypto wallets, particularly BTC (Bitcoin).
This blog provides insights into Kanti ransomware’s technical aspects and how victims are enticed through crypto wallets.
Technical Analysis
We have identified a compressed file named “BTC Wallet.zip” that includes two files: “Open Private Keys For Access To Wallet.lnk” and “Locked_253_BTC.zip”, as shown below.
The name of the zip file led us to believe that the zip file may have been distributed to users via spam emails or from a phishing website, with a specific focus on targeting individuals involved in cryptocurrency activities.
The “Locked_253_BTC.zip” file has a ZIP extension and the name indicating that it likely contains Bitcoin-related content, potentially related to a cryptocurrency wallet. On the other hand, “Open Private Keys For Access To Wallet.lnk” is a Windows shortcut file designed to deceive users into thinking that it provides access to the necessary private keys for unlocking the funds stored in “Locked_253_BTC.zip”. Private keys are essential for managing and accessing cryptocurrency wallets.
The Windows shortcut file (“Open Private Keys For Access To Wallet.lnk”) includes a command to execute “Locked_253_BTC.zip”, which is misleadingly named as a ZIP file but is actually a PE executable.
Upon execution of the lnk file, it runs the target command “cmd.exe /c start Locked_253_BTC.zip,” which bypasses the incorrect file association and directly runs the “Locked_253_BTC.zip” file as an executable, which is a ransomware binary.
The figure below shows the contents of the “BTC Wallet.zip” file and properties of the “Open Private Keys For Access To Wallet.lnk” file.
Kanti Ransomware
The “Locked_253_BTC.zip” is a 64-bit GUI-based binary file created using the NIM programming language, with the SHA256 hash value, ce61f7dad5a1bb7ef8dedb6938b3e6f4fbd4bf991fdd62212578a92c9ae6dec1, as shown below.
After being executed, the ransomware scans the system volumes and uses the FindFirstFileW() and FindNextFileW() API functions to search through files and directories, identifying the files that need to be encrypted.
The ransomware selectively excludes specific file/folder names and file extensions from being encrypted during its encryption process. By excluding specific files and folders from encryption, the TAs responsible for the ransomware can ensure critical system files, essential operating system components, and other crucial elements necessary for the system’s proper functioning.
As the figure below indicates, Kanti ransomware avoided specific folder names, file names, and file extensions from encryption.
Once the ransomware identifies the files, it utilizes the “BCrypt.dll” module. It calls its API function, BCryptGenRandom(), with the BCRYPT_USE_SYSTEM_PREFERRED_RNG flag, for secure key generation and performs the encryption process, as shown in Figure 5. The ransomware dynamically loads the module and resolves essential Win32 API function addresses to enable its main operations.
Afterward, the malware employs the MoveFileExW() API function to replace the original files with their encrypted file, which have been renamed with the extension “.kanti,” as illustrated below.
The figure below depicts the files encrypted by Kanti ransomware after the successful infection of a victim’s machine.
Subsequently, the ransomware drops a ransom note named “Kanti.html” on the Desktop location. The ransom note dropped by Kanti Ransomware provides instructions to the victims on how to establish contact with the TAs behind the ransomware, enabling them to initiate negotiations for the ransom payment. The contents of the ransom note are shown in the below figure.
Additionally, the ransomware runs the following command using cmd.exe to delete the ransomware file and open the “Kanti.html” file to display the ransom note to victims before exiting the Command Prompt.
- cmd.exe /c ping 127.0.0.1 -n 3 && del C:\Users\<User>\Desktop\Locked_253_BTC.zip&& C:\Users\<User>\Desktop\Kanti.html && exit
The figure below illustrates the process tree of the Kanti ransomware infection.
Conclusion
Ransomware TAs are increasingly focusing on cryptocurrency users, drawn by the potential for higher ransom payments, the apparent anonymity of crypto transactions, and the likelihood that tech-savvy individuals possess valuable data.
Additionally, NIM, being a relatively newer language, may lack robust security mechanisms and detection compared to more established programming languages. This security gap presents an opportunity for malware authors to evade detection and improve the efficiency of their malware attacks.
As organizations take steps to fortify themselves against ransomware attacks, there is a concurrent rise in the emergence of new ransomware groups. These groups continually adapt their strategies and scale up their activities to maximize their monetary profits.
Cyble Research and Intelligence Labs continuously monitors new ransomware campaigns, ensuring that our readers stay updated on the latest findings and developments of the malware.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact of Ransomware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Financial loss.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1059 |
User Execution Command and Scripting Interpreter |
| Defense Evasion | T1070 T1036 |
File Deletion Masquerading |
| Discovery   | T1082 T1083 |
System Information Discovery File and Directory Discovery |
| Impact   | T1486  | Data Encrypted for Impact  |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| c25e3f897192c324d689d5d3bbd180bb 1e761ae5802cf9085d42cf6d991d7e15ab8976b7 48eaf4aec9e5b9d51e8b4a98ac22b8f0ed0f7deadeff333d93e1fdc268abd932 |
MD5 SHA1 SHA256 |
BTC Wallet.zip   |
| c82127fd8c4f288ebbe07a12606ff87c cc0d3593e977845bf6d4e23359b625b43c57e0e0 556d38e14124cedbd9c477ffa3dba03979b347f20046733db51a42638cf68849 |
MD5 SHA1 SHA256 |
Open Private Keys For Access To Wallet.lnk |
| d8b6fe900e0a446d3ff44e967d358700 3775db152fdf754105ae0b5ced67897209d6203d ce61f7dad5a1bb7ef8dedb6938b3e6f4fbd4bf991fdd62212578a92c9ae6dec1 |
MD5 SHA1 SHA256 |
Locked_253_BTC.zip (Kanti Ransomware exe) |
