Malware Wiki

Kuiper

Summary: Golang-based Ransomware-as-a-service
Class: Ransomware
Class Summary: Ransomware is a form of malicious software that encrypts files on your device, making them inaccessible. The attacker then demands a ransom to decrypt the files. If ransomware is detected, make note that there is no guarantee the attacker will provide the decryption key upon paying the ransom. Disconnect the affected system from your network to prevent the spread of the ransomware, and consult with a security specialist. Regular backups are key in recovering from ransomware attacks.
Description: Kuiper is a Ransomware-as-a-Service (RaaS) developed in Go, which was advertised on underground forums by a user named Robinhood. It uses a combination of RSA, ChaCha20 (files smaller than 600 megabytes), and AES (files larger than 600 megabytes) for encrypting files. While most of the malware's functionality is focused on Windows, the macOS variant will generate a random key and random initialization vector (IV) using /dev/urandom, decode a ransom note, encrypt the target recursively (appending a .kuiper extension), clean the key and IV from memory, and reboot the system.
References: https://stairwell.com/resources/kuiper-ransomware-analysis-stairwells-technical-report/

https://www.trellix.com/blogs/research/the-evolution-of-the-kuiper-ransomware/
Example Hashes: 4371132451177999fde66054fc84382a94f606c0

VirusTotal

32a5b738efcfcd160847c4b301b939e14cb9f3cf

VirusTotal

0c1b3763668d9c208bfcfb2f65f069bcb90b0a08

VirusTotal