Kuiper Ransomware’s Evolution By Max Kersten · January 17, 2024 The Golang-based Kuiper ransomware is presented as an opportunity for other criminals to make money by ransoming one or more targets. Additionally, RobinHood, the actor behind Kuiper, states that help with operations can be provided for a commission. A leak site, to double extort victims (once by ransoming their systems, and again by threatening to publish the stolen data if the ransom demand is not met) is in the works, but remains unfinished. The ransomware advertisement sounds promising with regards to the technical capabilities, while in reality the actor seems to have bitten off more than they can chew. Reality caught up with the threat actor, as observed in a blog by Stairwell’s Silas Cutler, where they obtained a copy of the server the actor used, including the ransomware’s source code and decryption keys. This blog will cover the sales post of the actor, an analysis of the ransomware for Windows, Linux, and MacOS targeting binaries, and a version comparison. The version comparison is included within the technical analysis. The analyzed files, their hashes, and the detection information are listed at the end of this blog. The ransomware advertisement The underground markets offer numerous opportunities for actors to select a ransomware family of their choice. Some actors only advertise once their first version is finished, whereas others release “beta” versions. These are generally not advertised as such…Read More