Cyble Research and Intelligence Labs Uncovers Novel ‘Kanti’ Ransomware Targeting Cryptocurrency Users

Jul 21, 2023

Cyble Research and Intelligence Labs (CRIL) recently discovered a new strain of ransomware dubbed “Kanti” that poses a significant threat to cryptocurrency users.

The Kanti ransomware earned its name due to its distinct encryption method, appending the “.kanti” extension to encrypted files, and dropping a ransom note called “Kanti.html” after the encryption process is completed.

The cybercriminals behind Kanti specifically focus on cryptocurrency users, particularly those associated with Bitcoin (BTC) wallets.

Cyble researchers found that Kanti ransomware is built using the NIM programming language, which is relatively new and known for its efficient execution and cross-platform compatibility.

“Previously, the Dark Power ransomware group utilized the NIM programming language to create ransomware variants that can encrypt victims’ files while deliberately excluding critical system files,” said the CRIL report.

“Moreover, the malware possessed the capability to clear logs and generate a ransom note within each infected folder.”

NIM’s unique features enable malware authors to create ransomware that targets both Windows and Linux operating systems, making it a versatile tool for cybercriminals seeking to evade detection.

Kanti Ransomware: Execution and encryption process

Kanti is a new type of ransomware that targets people who use cryptocurrency, especially Bitcoin. It’s a malicious software designed to lock up your files and demand a ransom from you to get them back.

The attackers distribute the ransomware through a file named “BTC Wallet.zip.” Inside this compressed file, there are two other files: “Open Private Keys For Access To Wallet.lnk” and “Locked_253_BTC.zip.”

When you open the “Open Private Keys For Access To Wallet.lnk” file, it actually runs the “Locked_253_BTC.zip” file. The “lnk” file is made to look harmless, but it’s the actual ransomware in disguise.

Once you run the ransomware, it starts encrypting your files. Encryption is like putting a lock on your files so that you can’t access them without a special key. In this case, the attackers have the key, and they demand money (ransom) to give it to you.

Kanti ransomware scans the system volumes using API functions to identify files and directories for encryption.

Interestingly, the ransomware selectively excludes certain files and folders from encryption, ensuring critical system files and components necessary for the proper functioning of the victim’s system remain unaffected.

Kanti ransomware is cleverly programmed to avoid encrypting certain important files that are necessary for your computer to function properly. This ensures that the computer remains operational, and you can still use it to pay the ransom.

The ransomware is created using a new programming language called NIM. This language allows the attackers to make the ransomware work on both Windows and Linux computers.

To lock your files securely, the ransomware uses a special module called “BCrypt.dll.” This module generates the encryption keys that are needed to lock and unlock your files.

After your files are encrypted, the ransomware leaves a message called “Kanti.html” on your Desktop. This message explains that your files are locked, and it provides instructions on how to pay the ransom to get the decryption key.

To cover its tracks, the ransomware deletes itself from your computer after encrypting your files. It also displays the ransom note before exiting, so you know what happened.

Kanti ransomware: Effects and precautions

Like all other ransomware strains, the main impact of impact of Kanti is the loss of valuable data.

Falling victim to a ransomware attack hits an organization’s reputation and integrity badly, leading to a loss of trust from customers and partners.

Ransomware can expose sensitive business information, posing a serious risk to the confidentiality of its consumers, affiliates, and stakeholders.

The disruptive nature of ransomware is another major concern.

Once infected, computers or networks may become inoperable until the ransom is paid or the situation is resolved, causing significant disruptions to regular operations.

Regularly backing up important data is essential, recommend Cyble researchers.

Keeping backups offline or on separate networks ensures that a safe copy of the data is available for recovery if needed.

Enabling automatic software updates on computers, mobile devices, and other connected devices helps to keep security vulnerabilities in check and devices protected against known threats, the researchers added.

Get Free Report & Network Analysis

Please check your email for the free report.