Cybersecurity researchers have found a new ransomware called Carukia that was promoted as a work-in-progress malware.
A Telegram channel offered a preview of the presently blank panel associated with the yet-to-be-launched Typhon Project.
The Carukia ransomware, from the Typhon Project, boasted of faster encryption due to code optimization and automatic privileges escalation.
Announcement about the Carukia ransomware v1.0
The v1.0 in the version name suggested that the developers of the yet-to-be-launched ransomware may go ahead and launch better versions of the malware with the response received for this one, once it goes live.
Besides AES-256 file encryption, and wipe key from memory options that may help to launch a stealthy ransomware attack, Carukia ransomware v1.0 claimed to perform automatic privilege escalation.
It can disable a few detection mechanisms of systems and boasted of offering a user-friendly builder.
These functionalities and features put a critical responsibility on software developers, researchers, and legal bodies to create even better cybersecurity infrastructure to thwart the impact of emerging ransomware.
Other features of the ransomware from Project Typhon:
- Deletion of volume shadow copies and event logs from the targeted systems.
- Disabling sample submissions that can otherwise help researchers trace details about the attack.
- Carukia ransomware can also disable telemetry which also helps researchers collect data from remote sources using tools to detect more about ransomware attacks.
- It can disable defender that offers added security to systems against cyberattacks.
Written from scratch, the Carukia ransomware v1.0 from the Typhon Project will be offered for a lifetime subscription of $500. The group wrote that they will accept payment in XMR and ETH only. “Will not be released until it is perfect,” the announcement for Carukia ransomware concluded.
CRIL researcher’s insights about the Carukia ransomware v1.0
To gain more insights into the Carukia ransomware, The Cyber Express team spoke to a researcher from the Cyble Research & Intelligence Labs, who shared that although the ransomware is on sale by the developer, it is not an affiliate model yet, unlike other groups such as LockBit ransomware group.
They shared that the developers of Carukia were involved in operating RaaS called SarinLocker, based on preliminary investigation, adding that they anticipate the possibility of Carukia ransomware turning into a RaaS in the future.
The developers have created the panel with the price tags so far, however, the ransomware may have faster encryption as quoted by the group in the Telegram post.
The popularity of Carukia will depend on its sale, and once that starts, the developers may float the RaaS model to the larger underworld market.
Till then it is interesting for malware research teams to find the malware strain and check its usage by other groups. When asked about the experience level of the ransomware developers, the CRIL researcher said, “Experience in coding, definitely. But association with a group is not a necessity for a project as this.”
“Such developers may turn themselves into ransomware groups in the future and create a RaaS model,” the researcher added.
In RaaS, operators are the ones who are on top of everything including developing and sharing the ransomware strain to managing affiliates who will spread the infection. They are also the ones who share the profit back with the affiliates after the attack.
Looking at the panel for the Carukia ransomware, the researcher said, “By the advertisement, it is clear that it’s not released for sale yet.”
Addressing the values noted in the fields they added, “It may just be a test entry as there is a discrepancy between the IP address and the name of the country reflecting as US on the panel.”