Kanti: A NIM-Based Ransomware Unleashed in the Wild

New Ransomware Strain Sets Sights on Cryptocurrency Users


New programming languages often have fewer security measures and less mature detection mechanisms than well-established ones. Threat Actors (TAs) often attempt to bypass traditional security defenses and avoid detection by using a less-known programming language.

NIM, a programming language specifically created for efficient execution and superior performance, has recently caught the attention of malware developers due to its unique novelty. One of the key reasons for this interest is NIM’s ability to offer cross-platform support, enabling the compilation of code into executable files suitable for both Windows and Linux operating systems.

Previously, the Dark Power ransomware group utilized the NIM programming language to create ransomware variants that can encrypt victims’ files while deliberately excluding critical system files. Moreover, the malware possessed the capability to clear logs and generate a ransom note within each infected folder.

Cyble Research and Intelligence Labs (CRIL) recently encountered a novel strain of ransomware named “Kanti.” This particular ransomware variant earned its name by modifying the encrypted file extension to “.kanti” and dropping a ransom note named “Kanti.html” after the encryption process. This ransomware specifically targets cryptocurrency users, as it employs file names associated with crypto wallets, particularly BTC (Bitcoin).

This blog provides insights into Kanti ransomware’s technical aspects and how victims are enticed through crypto wallets.

Technical Analysis


We have identified a compressed file named “BTC Wallet.zip” that includes two files: “Open Private Keys For Access To Wallet.lnk” and “Locked_253_BTC.zip”, as shown below.

ZIP, Wallet, Ransomware, Bitcoin
Figure 1 – Files inside the main ZIP file


The name of the zip file led us to believe that the zip file may have been distributed to users via spam emails or from a phishing website, with a specific focus on targeting individuals involved in cryptocurrency activities.

The “Locked_253_BTC.zip” file has a ZIP extension and the name indicating that it likely contains Bitcoin-related content, potentially related to a cryptocurrency wallet. On the other hand, “Open Private Keys For Access To Wallet.lnk” is a Windows shortcut file designed to deceive users into thinking that it provides access to the necessary private keys for unlocking the funds stored in “Locked_253_BTC.zip”. Private keys are essential for managing and accessing cryptocurrency wallets.

The Windows shortcut file (“Open Private Keys For Access To Wallet.lnk”) includes a command to execute “Locked_253_BTC.zip”, which is misleadingly named as a ZIP file but is actually a PE executable.

Upon execution of the lnk file, it runs the target command “cmd.exe /c start Locked_253_BTC.zip,” which bypasses the incorrect file association and directly runs the “Locked_253_BTC.zip” file as an executable, which is a ransomware binary.

The figure below shows the contents of the “BTC Wallet.zip” file and properties of the “Open Private Keys For Access To Wallet.lnk” file.

Command, Windows Shortcut
Figure 2 – Command used by Windows Shortcut file


Kanti Ransomware


The “Locked_253_BTC.zip” is a 64-bit GUI-based binary file created using the NIM programming language, with the SHA256 hash value, ce61f7dad5a1bb7ef8dedb6938b3e6f4fbd4bf991fdd62212578a92c9ae6dec1, as shown below.

Static file, Ransomware, Sample
Figure 3 – Static file details


After being executed, the ransomware scans the system volumes and uses the FindFirstFileW() and FindNextFileW() API functions to search through files and directories, identifying the files that need to be encrypted.

The ransomware selectively excludes specific file/folder names and file extensions from being encrypted during its encryption process. By excluding specific files and folders from encryption, the TAs responsible for the ransomware can ensure critical system files, essential operating system components, and other crucial elements necessary for the system’s proper functioning.

As the figure below indicates, Kanti ransomware avoided specific folder names, file names, and file extensions from encryption.

Exclusion list, Excluded programs, Ransomware
Figure 4 – Exclusion list used by ransomware


Once the ransomware identifies the files, it utilizes the “BCrypt.dll” module. It calls its API function, BCryptGenRandom(), with the BCRYPT_USE_SYSTEM_PREFERRED_RNG flag, for secure key generation and performs the encryption process, as shown in Figure 5. The ransomware dynamically loads the module and resolves essential Win32 API function addresses to enable its main operations.

Encryption, process, File
Figure 5 – Encryption process


Afterward, the malware employs the MoveFileExW() API function to replace the original files with their encrypted file, which have been renamed with the extension “.kanti,” as illustrated below.

Operation, Command, MoveFileExW()
Figure 6 – MoveFileExW() operation


The figure below depicts the files encrypted by Kanti ransomware after the successful infection of a victim’s machine.

Encrypted files, data, Kanti
Figure 7 – Encrypted files by Kanti ransomware


Subsequently, the ransomware drops a ransom note named “Kanti.html” on the Desktop location. The ransom note dropped by Kanti Ransomware provides instructions to the victims on how to establish contact with the TAs behind the ransomware, enabling them to initiate negotiations for the ransom payment. The contents of the ransom note are shown in the below figure.

Ransom note, Ransom payment, Ransomware
Figure 8 – Contents of the Ransom note


Additionally, the ransomware runs the following command using cmd.exe to delete the ransomware file and open the “Kanti.html” file to display the ransom note to victims before exiting the Command Prompt.

  • cmd.exe /c ping -n 3 && del C:\Users\<User>\Desktop\Locked_253_BTC.zip&& C:\Users\<User>\Desktop\Kanti.html  && exit

The figure below illustrates the process tree of the Kanti ransomware infection.

Process tree, malware, Processes
Figure 9 – Process tree




Ransomware TAs are increasingly focusing on cryptocurrency users, drawn by the potential for higher ransom payments, the apparent anonymity of crypto transactions, and the likelihood that tech-savvy individuals possess valuable data.

Additionally, NIM, being a relatively newer language, may lack robust security mechanisms and detection compared to more established programming languages. This security gap presents an opportunity for malware authors to evade detection and improve the efficiency of their malware attacks.

As organizations take steps to fortify themselves against ransomware attacks, there is a concurrent rise in the emergence of new ransomware groups. These groups continually adapt their strategies and scale up their activities to maximize their monetary profits.

Cyble Research and Intelligence Labs continuously monitors new ransomware campaigns, ensuring that our readers stay updated on the latest findings and developments of the malware.

Our Recommendations


We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impact of Ransomware

  • Loss of valuable data.
  • Loss of the organization’s reputation and integrity.
  • Loss of the organization’s sensitive business information.
  • Disruption in organization operation.
  • Financial loss.

MITRE ATT&CK® Techniques


Tactic  Technique ID  Technique Name 
Execution  T1204 
User Execution
Command and Scripting Interpreter
Defense Evasion T1070
File Deletion Masquerading
Discovery    T1082
System Information Discovery
File and Directory Discovery
Impact   T1486  Data Encrypted for Impact 

Indicators of Compromise (IOCs)


Indicators Indicator Type Description
BTC Wallet.zip    
Open Private Keys For Access To Wallet.lnk
(Kanti Ransomware exe)

Scroll to Top