Cyber criminals have been peddling a relatively newer ransomware dubbed Kraken Cryptor targeting victims in multiple countries.
A pickup of Kraken activity was observed at the end of September, when a security researcher ‘nao_sec’ spotted the Fallout Exploit Kit used to deliver Kraken. Fallout was previously known to also distribute GandCrab ransomware.
An excerpt of the Kraken ransomware threat as described in a recent McAfee blog post:
“Affiliates are given a new build of Kraken every 15 days to keep the payload fully undetectable from antimalware products. According to ThisWasKraken, when a victim asks for a free decryption test, the affiliate member should send one of the victim’s files with its associated unique key to the Kraken Cryptor ransomware support service. The service will decrypt the file and resend it to the affiliate member to forward the victim. After the victim pays the full ransom, the affiliate member sends a percentage of the received payment to the RaaS developers to get a decryptor key, which is forwarded to the victim. This system ensures the affiliate pays a percentage to the affiliate program and does not simply pocket the full amount. The cut for the developers offers them a relatively safe way of making a profit without exposing themselves to the risk of spreading ransomware.”
The affiliate program and business scheme is also known as Ransomware-as-a-Service (RaaS).
On October 21, the author’s of Kraken released Version 2 of the affiliate program and lowered the developer’s profit percentage from 25% to 20%. This could be an attempt to increase the number of affiliates and popularity in the service.
McAfee also listed the features of Kraken:
- Encoded in C# (.NET 3.5)
- Small stub size ~85KB
- Fully autonomous
- Collects system information as an encrypted message for reference
- File size limit for encryption
- Encryption speed faster than ever
- Uses a hybrid combination of encryption algorithms (AES, RC4, Salsa20) for secure and fast encryption with a unique key for each file
- Enables the use of a network resource and adds an expansion bypass mode for encrypting all files on non-OS disks
- Is impossible to recover data using a recovery center or tools without payment
- Added antidebug, antiforensic methods.
A map was also provided showing the distribution of their victims across many countries. Bitcoin was the only form of currency accepted by the affiliate program.
See details on the threat in McAfee’s blog to include the Kraken Cryptor infection scheme, infrastructure, indicators of compromise and much more.