Krita art app users targeted by ransomware posing as paid 'collaboration' opportunities

Krita, an open-source cross-platform digital painting application, has become the latest victim of ransomware – but rather than being attacked directly, its name is being used to spread malware among users via emails offering advertising revenue.

In one example of the emails seen by The Register the recipient was offered a fee to mention the app on YouTube in a 30 to 45-second advertising spot. The fees on offer: $350 for accounts with 10,000-80,000 subscribers, rising to $1,700 for those with up to a million – or "individually" priced for larger accounts.

Those looking to take advantage of the "offer" are asked to "register as a Krita partner" and sent a link to download the Windows version of the app and a "media pack" of assets – the link, naturally, pointing to a convincingly named domain outside the control of the Krita project and hosting a ransomware dropper which takes over the victim's system, encrypts their files, and demands payment to reverse the process.

"Some fraudsters are sending mails to artists with offers pretending to be from official Krita team or Foundation," artist Raghavendra Kamath wrote in one of the earliest warnings about the attack. "They have registered some domains like 'Krita.io' which redirect to [the] official .org domain. This confused people and tricks them in believing that the mail they received is from official team.

"I would like to make everyone aware that these mails are fraud mails and if you receive any communication from Krita team which originates from the email address other than foundation@krita.org then please mark it as spam and report for phishing. Also spread this word to your friends who may have got such mails."

"If you receive mail pretending to come from the Krita team from an email address that does not end in krita.org, like krita.io or krita.app, please be aware that these mails are scams," the project's maintainers wrote in their own warning on the topic.

"This is a ransomware attack. If you reply, you will get a link to a 'mediabank.zip' file that contains two programs masquerading as videos. There are now also fake installers that you are asked to run. Only download Krita from this website, Steam, Windows Store or Epic Store!"

• Boffins unveil SSD-Insider++, promise ransomware detection and recovery right in your storage
• When the bits hit the fan: What to do when ransomware strikes
• Confessions of a ransomware negotiator: Well, somebody's got to talk to the criminals holding data hostage
• Bangkok Airways hit by LockBit ransomware attack, loses lotsa data after refusing to pay

"I almost downloaded this," wrote artist and Krita user Philip Hartshorn, one of the targets of the ongoing attack, "as it's a fairly convincing collaboration email/offer. I just happened to check the Krita Twitter before I did."

The waters are slightly muddied by the fact that while krita.org is indeed the official domain for the software's distribution, the project maintains a second domain for its forum: krita-artists.org.

While the first reports of the attack date back to nearly a month ago, evidence shows it is ongoing with the most recent examples dating to 11 September. Many of the sites used in the attack, however, are no longer responding, with registrar Namecheap confirming at least one termination following user reports – but with the attackers jumping onto new domains, the battle continues.

Those looking to download the real Krita are advised to do so from the official website – and to delete any unexpected emails offering collaborations. ®