April 13, 2017

CradleCore: ransomware source code for sale

Roland Dela Paz Security Researcher

In a recent blog we talked about how the current ransomware pandemic continues to attract would-be cybercriminals to ransomware-as-a-service (RaaS) platforms. In this post we will look into a new piece of ransomware called "CradleCore" - a crimeware kit that is currently being offered to cybercriminals looking to own customisable ransomware source code.

CradleCore,  a.k.a. "Cradle Ransomware", is peculiar in the sense that it is being sold as source code. Typically, ransomware is monetized by developers using the RaaS business model. If that doesn't work, only then the will the developers consider selling the source code. 

CradleCore is offered as a C++ source code with PHP server scripts and a payment panel. It started to be sold on a few Tor-based sites over two weeks ago for a negotiable price starting at 0.35 BTC (approximately 428 USD): 

The ransomware has a relatively complete feature set. It uses Blowfish for file encryption, has an anti-sandbox mechanism, allows for offline encryption, and communicates to its command and control server via a Tor2Web gateway (onion.link).

Upon infecting a system it drops a ransom note with the filename “_HOW_TO_UNLOCK_FILES_.html”. Encrypted files are appended with the “.cradle” file extension and the ransom note is displayed:

A list of features, along with setup instructions, is available in the ransomware’s readme file provided by the author himself to potential customers:

In the above readme file it can be observed that the words "targets" and "campaigns" were used. These words are anti-virus (AV) industry language and are commonly seen in security articles. This may suggest that the author of CradleCore is not a professional malware developer but rather someone with a software development experience taking a shot at the ransomware scene.

Who is the author of CradleCore?

While the advertisement site for CradleCore is hosted on the dark web, the site’s Apache server status page appears to be accessible to the public. The logs appeared to show that the Apache server hosting the Onion site has a second Virtual Host (VHost) hosting a clearnet website. VHosts, to those unfamiliar, allow multiple websites to be hosted on a single machine and IP address:

The Linode-assigned IP address hosting the clearnet site appears to be exclusive-use. Essentially, this could mean either that the server is compromised and is abused to host the CradleCore website or that the clearnet website and CradleCore belong to the same owner.

Digging around the contents of that clearnet website led us to the website owner's personal site who appears to be working as a freelance software developer. From the information available on his personal website we managed to find his Twitter and LinkedIn account where it is indicated that he is a C++ programmer.

At this point we can link the clearnet site with a freelance C++ developer and with an Onion site offering the CradleCore C++ source code for sale. While this provides a link between the owner of the clearnet site and the malware it should be stressed that without knowledge of whether or not the Linode host itself has been compromised this does not necessarily prove ownership.

Looking at the WHOIS information of the clearnet site, a fake name and a SIGAINT email address appears to have been used to register the website. SIGAINT was a TOR-based email service (now defunct) that offered email anonymity:

Forcepoint Security Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 5 (Dropper File) - CradleCore variants are prevented from being downloaded and/or executed.
Stage 6 (Call Home) - HTTP requests to the CradleCore command and control server are blocked.


CradleCore is yet another new ransomware product that is available to cybercriminals. It is being sold as source code which potentially suggests that CradleCore may be a first- or side-project of someone with limited experience of malware business models looking for extra income. It also means that anyone who purchases it will not only be able to update the ransomware but also share the source code to others. Ultimately, this may result in other ransomware variants stemming from CradleCore's source code. Forcepoint Security Labs™ will continue to monitor developments on the CradleCore ransomware.

With additional insights from Luke Somerville.

Indicators of Compromise

CradeCore SHA-256 Hashes


About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.