If cybercrime had its own GitHub, Nitrogen ransomware and LukaLocker would be its popular forks. An increasing number of attacks are no longer about advanced techniques, but about the effective use of available components. Recycling malicious code has become a common and worryingly effective practice. As a result, IT organisations today face a challenge not from the emergence of new threats, but from refreshed versions of well-known pests.
Old code, new packaging
In 2022, the source code of the once influential CONTI ransomware hit the web after an internal split of the group, some members of which objected to its support for the Russian invasion of Ukraine. As a result, the full criminal toolkit, including logic for file encryption, security bypass and victim communication, saw the light of day.
Two years later, analysts from German firm SECUINFRA detected new ransomware variants – LukaLocker and Nitrogen – that used the same code. Although their names, tactics and technical details differed slightly, the analysis showed clear similarities: identical encryption schemes, code structure, mechanisms for communicating with the victim and how to obfuscate functions.
This shows how easy it is today to build a new threat with minimal effort. All it takes is ready-made code, a few cosmetic changes and a distribution channel. Such ‘low effort engineering’ significantly lowers the barrier to entry into the criminal world.
Cybercrime as modular engineering
In the IT world today, we talk about componentisation, microservices and code reuse. In the world of cybercrime, exactly the same thing is happening – with the difference that the goal is not innovation, but attack efficiency.
LukaLocker and Nitrogen are almost textbook examples. In both cases, the core of the code is based on the same ransomware engine. The details have changed: the name, some functions, the way it communicates with the victim. But the key elements – RSA or ECC encryption, mutexes to prevent double encryption, hiding imports using Base64 encryption – have remained the same.
This is no coincidence. By recycling the code, it is possible to reduce the time needed to prepare the malware, reduce the risk of errors and get the ‘product’ into the criminal market in no time. It can be easily adapted to the needs of a specific campaign – changing communication channels (e.g. from Tox to Telegram), phishing techniques (e.g. telephone threats) or data publishing methods (e.g. dark web blogs).
Reactivity is not enough
For security teams and CISOs, this means a change in the rules of the game. The traditional approach, based on detecting new signatures, is becoming less and less effective. Since the new variants are based on well-known mechanisms, it is difficult to classify them as a ‘new threat’ in classic detection systems.
This challenge requires a shift from a reactive to a proactive defence model. Instead of relying on detecting malware names or their hashes, organisations should focus on analysing behaviour – e.g. unusual file operations, running tools like `bcdedit.exe’, creating mutexes or encryption patterns.
Threat intelligence also plays an important role – not only in real time, but also in the context of code analysis and similarity mapping between successive threat variants. This makes it possible to recognise known patterns in unfamiliar forms.
Crime-as-a-Service: the fast track to crime
The phenomenon of code recycling does not exist in a vacuum. It is part of a broader trend that resembles models familiar to the SaaS market. Crime-as-a-Service (CaaS) and Ransomware-as-a-Service (RaaS) democratise access to sophisticated cybercrime tools. Developers make the code available for a fee or free of charge, and other criminals – often without deep technical expertise – adapt it for their own purposes.
In the case of LukaLocker, there were even elements of a “customer service” – a call centre team contacting victims to reinforce the pressure to pay the ransom. This shows that the line between a cyber attack and an organised business operation is becoming increasingly blurred.
How to defend against the ‘old’ threat?
Although LukaLocker and Nitrogen do not introduce a technical revolution, they are just as dangerous as their prototype. It is their ‘mediocrity’ that makes them more difficult to detect. In response to this new wave of threats, security experts point to several key actions:
- Implementation of MDR (Managed Detection & Response) services: Continuous monitoring and proactive response allow you to stay ahead of attacks based on well-known patterns.
- Monitoring the dark web: Analysis of leaked credentials and criminal group activity can alert you to potential attack targets
- Threat assessment and IR testing: Regular analysis of the IT environment for signs of known techniques (e.g. from CONTI) and testing of incident response plans.
- Training and safety culture: Make employees aware that hazards may look familiar but have new consequences.
Copying code has become a natural part of software development. Unfortunately, the same mechanism is at work in cybercrime. VulnerabilityLocker and Nitrogen show that even unoriginal code can be deadly if exploited properly. For companies, this means that they need to abandon the illusion that only ‘new’ threats are worth paying attention to. Criminals have long understood that you don’t have to be innovative to be effective. Now it is the turn of organisations to shift their security model to tracking and neutralising well-known but still threatening mechanisms of operation – before they are exploited again.
