Krita art app users targeted by ransomware posing as paid 'collaboration' opportunities

Artists advised to delete emails asking them to download 'media bundle'

Gareth HalfacreeTue 14 Sep 2021 // 19:27 UTC

2 

Krita, an open-source cross-platform digital painting application, has become the latest victim of ransomware – but rather than being attacked directly, its name is being used to spread malware among users via emails offering advertising revenue.

In one example of the emails seen by The Register the recipient was offered a fee to mention the app on YouTube in a 30 to 45-second advertising spot. The fees on offer: $350 for accounts with 10,000-80,000 subscribers, rising to $1,700 for those with up to a million – or "individually" priced for larger accounts.

Those looking to take advantage of the "offer" are asked to "register as a Krita partner" and sent a link to download the Windows version of the app and a "media pack" of assets – the link, naturally, pointing to a convincingly named domain outside the control of the Krita project and hosting a ransomware dropper which takes over the victim's system, encrypts their files, and demands payment to reverse the process.

"Some fraudsters are sending mails to artists with offers pretending to be from official Krita team or Foundation," artist Raghavendra Kamath wrote in one of the earliest warnings about the attack. "They have registered some domains like 'Krita.io' which redirect to [the] official .org domain. This confused people and tricks them in believing that the mail they received is from official team.

"I would like to make everyone aware that these mails are fraud mails and if you receive any communication from Krita team which originates from the email address other than foundation@krita.org then please mark it as spam and report for phishing. Also spread this word to your friends who may have got such mails."

"If you receive mail pretending to come from the Krita team from an email address that does not end in krita.org, like krita.io or krita.app, please be aware that these mails are scams," the project's maintainers wrote in their own warning on the topic.

"This is a ransomware attack. If you reply, you will get a link to a 'mediabank.zip' file that contains two programs masquerading as videos. There are now also fake installers that you are asked to run. Only download Krita from this website, Steam, Windows Store or Epic Store!"

• Boffins unveil SSD-Insider++, promise ransomware detection and recovery right in your storage
• When the bits hit the fan: What to do when ransomware strikes
• Confessions of a ransomware negotiator: Well, somebody's got to talk to the criminals holding data hostage
• Bangkok Airways hit by LockBit ransomware attack, loses lotsa data after refusing to pay

"I almost downloaded this," wrote artist and Krita user Philip Hartshorn, one of the targets of the ongoing attack, "as it's a fairly convincing collaboration email/offer. I just happened to check the Krita Twitter before I did."

The waters are slightly muddied by the fact that while krita.org is indeed the official domain for the software's distribution, the project maintains a second domain for its forum: krita-artists.org.

While the first reports of the attack date back to nearly a month ago, evidence shows it is ongoing with the most recent examples dating to 11 September. Many of the sites used in the attack, however, are no longer responding, with registrar Namecheap confirming at least one termination following user reports – but with the attackers jumping onto new domains, the battle continues.

Those looking to download the real Krita are advised to do so from the official website – and to delete any unexpected emails offering collaborations. ®

SHARE

2 Comments

Similar topics

• MORE 
• Malware 
• Ransomware

CorrectionsSend us news

Other stories you might like

• New release of SweRVolf RISC-V SoC project aims for lower barrier to entry

  FOSSi Foundation's Olof Kindgren on the origins, future, and success of the RISC-V ISA

  Gareth HalfacreeWed 15 Sep 2021 // 16:28 UTC

  The SweRVolf project, a fully open system-on-chip designed as a reference platform for Western Digital's RISC-V SweRV cores, has announced a major new release promising lower barriers to entry for those looking to experiment.

  "Western Digital released the first of the SweRV cores, EH1, in 2018," Olof Kindgren, senior digital design engineer at Qamcom and director at the Free and Open Source Silicon (FOSSi) Foundation, told The Register.

  "While it was an amazing core, and the fastest 32-bit RISC-V core at least at that time, they were new to the world of open-source silicon and asked me what they should do to make it easier for others to pick it up.

  CONTINUE READING

• BT Wholesale wants the channel to give SMBs a nudge before copper sunset in 2025

  New products launched to help shift oblivious or straggler firms over ahead of PSTN switch-off

  Tim RichardsonWed 15 Sep 2021 // 15:43 UTC4 

  Small businesses in the UK are still woefully unprepared for the 2025 PSTN switch-off, when the plug will be pulled on the copper phone network.

  That's according to Gavin Jones, channel sales director at BT Wholesale, who made the comments as the division unveiled two new packages it hopes will boost fibre take-up and its own coffers.

  Aimed at BT's channel partners, BT Wholesale Hosted Communications (WHC) Express provides a digital phone line for small businesses (typically up to 10 employees) ahead of PSTN being retired in 2025, while its new Broadband One package offers full-fibre speeds up to 1Gbps.

  CONTINUE READING

• Vector database Pinecone promises to bring ML data management under control with 2.0 release

  Hybrid disk and RAM system should slash costs, firm says

  Lindsay ClarkWed 15 Sep 2021 // 14:59 UTC

  Pinecone has upgraded its vector database, aiming at enterprises that are looking to boost productivity in machine learning projects.

  Built by the team behind Amazon Sagemaker, Pinecone is designed to allow machine learning engineers to search through catalogues of embeddings, the continuous vector representations of separate variables fundamental to common ML algorithms such as word2vec.

  With its 2.0 iteration, the company promises storage of metadata – such as a topic, author, and category – with each item, allowing users to filter vector searches by these criteria in a single stage.

  CONTINUE READING

• App Annie fined $10m by the SEC for deceptive practices around how it presented data

  Analytics firm will neither admit nor deny the findings

  Lindsay ClarkWed 15 Sep 2021 // 14:15 UTC1 

  The US Securities and Exchange Commission has fined mobile data analytics biz App Annie $10m for engaging in deceptive practices and making material misrepresentations about how its alternative data was derived.

  The vendor has agreed to settle the case "without admitting or denying the findings in the SEC's order," according to a statement on the company's website.

  The SEC order found that App Annie and founder Bertrand Schmitt understood that companies would only share their confidential app performance data with App Annie if it promised not to disclose their data to third parties. App Annie and Schmitt then assured companies that their data would be aggregated and anonymised before being used by a statistical model to generate estimates of app performance.

  CONTINUE READING

• Catch of the day... for Google, anyway: Transatlantic Cornwall cable hauled ashore

  Grace Hopper landed

  Tim RichardsonWed 15 Sep 2021 // 13:28 UTC22 

  Google's newest transatlantic subsea cable has finally been hauled ashore in Cornwall, more than a year after the megacorp revealed plans to connect the UK and US.

  The arrival of the Grace Hopper cable – named after the computer science pioneer – brings the 16-fibre pair (32 fibres) Google-funded cable to Bude on the picturesque northern coast of Cornwall.

  Once all plumbed in, the cable is expected to be able to carry around 340Tbps of capacity – that's about the same as 17.5 million people streaming 4K videos all at the same time.

  CONTINUE READING

• Linux kernel minimum compiler raised to GCC 5.1, allowing potential C11 use

  Change also has handy side effect of fixing some warnings as errors

  Tim AndersonWed 15 Sep 2021 // 12:43 UTC6 

  Linux creator and maintainer Linus Torvalds has merged a late change to the forthcoming 5.15 kernel code that raises the minimum compiler from GCC 4.9 to 5.1 – which may in future enable use of an updated version of the C programming language, C11.

  Previously, the minimum version of GCC (GNU Compiler Collection) was 4.9, for which the first release arrived in 2014. The change to 5.1 was proposed by Google's Nick Desaulniers, who works on compiling the kernel with Clang, to simplify code required to work around errors caused by missing compiler features.

  "Raising the minimum supported versions allows us to remove all of the fallback helpers for !COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW, instead dispatching the compiler builtins," he explained.

  CONTINUE READING

• HPE finds second new CTO in 16 months with Fidelma Russo

  In-demand exec poached from VMware after Virtzilla poached her from Iron Mountain

  Gareth HalfacreeWed 15 Sep 2021 // 12:03 UTC4 

  HPE has confirmed an executive remix, putting Fidelma Russo – formerly of VMware – into the role of chief technology officer, just 16 months after previous incumbent Kumar Sreekanti was appointed.

  "We are excited for Fidelma to join the HPE team in this important role," said Antonio Neri, HPE's president and chief exec, in a prepared statement.

  "Fidelma brings deep expertise in cloud services, software, and infrastructure built on an extensive career in technology. Her diverse experience makes her distinctively suited to drive innovation as we accelerate our transformation and bring differentiated solutions to the market."

  CONTINUE READING

• Ransomware crims saying 'We'll burn your data if you get a negotiator' can't be legally paid off anyway

  Grief Corp are already under US sanctions, says Emsisoft

  Gareth CorfieldWed 15 Sep 2021 // 11:33 UTC18 

  A couple of ransomware gangs have threatened to start deleting files if targeted companies call in professional negotiators to help lower prices for decryption tools.

  Grief Corp is the latest criminal crew to warn its victims with instant data destruction if it suspects a mark has engaged a mediator.

  In a statement posted to its Tor-hosted blog, Grief Corp said: "We wanna play a game. If we see professional negotiator from Recovery Company™ – we will just destroy the data. Recovery Company™ as we mentioned [earlier] will get paid either way."

  CONTINUE READING

• Technology does widen the education divide. But not always in the way you expect

  The pandemic has turned children away from tech, says early-years teacher Maria

  Maria RussellWed 15 Sep 2021 // 10:45 UTC1 

  REGISTER DEBATE Welcome to the latest Register Debate in which writers discuss technology topics, and you – the reader – choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday. During the week you can cast your vote on which side you support using the poll embedded below, choosing whether you're in favour or against the motion. The final score will be announced on Friday, revealing whether the for or against argument was most popular.

  It's up to our writers to convince you to vote for their side.

  This week's motion is: Technology widens the education divide. And now today, arguing FOR the motion is MARIA RUSSELL, an early-years teacher in North London.

  CONTINUE READING

• Ex-DJI veep: There was no drone at Gatwick during 2018's hysterical shutdown

  Bold words from Boston Dynamics' new man

  Gareth CorfieldWed 15 Sep 2021 // 10:01 UTC17 

  There was never a rogue drone at Gatwick Airport that caused planes to be grounded over the 2018 Christmas holidays, an outgoing exec at Chinese drone-maker DJI has claimed.

  In an interview given just before he takes up his new veep of governmental affairs post with Boston Dynamics, Brendan Schulman said it was "now clear" that the event "did not actually involve a drone."

  CONTINUE READING

• The Register speaks to one of the designers behind the latest Lego Ideas marvel: A clockwork solar system

  Who needs a 3,000-piece orrery? We do, of course

  Richard SpeedWed 15 Sep 2021 // 09:13 UTC20 

  A clockwork model of the solar system has turned up in Lego Ideas*, combining some impressive Technic work with artistic whimsy.

  The model, by Chris Orchard and Brent Waller, is the result of 15 months of effort and shows the eight planets (sorry Pluto) in a roughly relative