Researchers discovered the Kraken Cryptor ransomware has been gaining popularity after becoming part of an affiliate program with the Fallout exploit
Researchers discovered the Kraken Cryptor ransomware has been gaining popularity after becoming part of an affiliate program with the Fallout exploit kit.
The research was performed in a collaboration by Alexandr Solad and Daniel Hatheway, intelligence analyst and senior threat intelligence analyst at Recorded Future, respectively, and Marc Rivero Lopez and John Fokker, threat researcher and head of cyber investigations for McAfee Advanced Threat Research, respectively.
Kraken ransomware as a service (RaaS) was first launched in mid-August in a Russian-language cybercrime forum by user ThisWasKraken — the threat actor who operates the Kraken affiliate program. And version 2 of the service was recently released. The researchers noted that potential affiliates have to pay $50 to be accepted into the Kraken RaaS program, and then the developers also take a 20% cut of any ransom paid.
“Affiliates are given a new build of Kraken every 15 days to keep the payload fully undetectable from antimalware products. According to ThisWasKraken, when a victim asks for a free decryption test, the affiliate member should send one of the victim’s files with its associated unique key to the Kraken Cryptor ransomware support service,” Rivero Lopez and Fokker wrote in their analysis.
“The service will decrypt the file and resend it to the affiliate member to forward the victim,” the researchers wrote. “After the victim pays the full ransom, the affiliate member sends a percentage of the received payment to the RaaS developers to get a decryptor key, which is forwarded to the victim.”
Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, based in Sunnyvale, Calif., said RaaS has been a trend since 2016.
“In the past, families like Petya, Misha, Satan, Cerber and GandCrab have been offered as RaaS products. RaaS lowers the barrier to entry for cybercrime, allowing even the least technical criminals to deploy ransomware and monetize exploits that are written by someone else,” Bilogorskiy wrote via email.
“Millennials and post-millennials prefer renting all things,” he continued. “As a result, the on-demand economy is on the rise with new marketplaces, such as Uber, TaskRabbit and Airbnb, that let people rent their time, goods and services. Malware actors are not immune from this and have also embraced the subscription model. That said, I expect that ransomware as a service is here to stay.”
Nick Bilogorskiycybersecurity strategist, Juniper Networks
In addition to consistent updates of the Kraken ransomware, affiliates are promised 24/7 support service. However, the researchers noted there are rules for the use of the RaaS. ThisWasKraken forbids the use of the ransomware in many former Soviet bloc countries, as well as Brazil, Syria and Iran. But infections have been detected in some of those nations anyway. This has led researchers to suspect the developers behind the Kraken ransomware may reside in one of those countries.
“The existence of the list of countries that are not allowed to be targeted indicates that the members of this possible international hacking group may reside in these nations,” Solad and Hatheway wrote in their blog post. “Such behavior is usually considered as a security step by the criminals who do not want to be searched by local law enforcement agencies. Considering that ThisWasKraken is not a native English or Russian speaker, the possible residence of the actor may be Brazil or Iran.”
Justin Jett, director of audit and compliance at Plixer, based in Kennebunk, Maine, said he hasn’t seen any exploit kits other than Fallout using ransomware, “but it likely won’t be long before we see them.”
“A SaaS-type model for ransomware, just as with other services, [is] often preferred because they are quick to deploy and will provide faster, more cost-effective results,” Jett wrote via email. “Moves to turn ransomware into a service are very concerning. This signals a shift from individual actors building malware to a system where partnerships are being formed to wreak havoc on systems globally.”
“Routine backups are the most important way to protect against ransomware, but organizations should be sure to keep backups for long periods of time, because ransomware may wait months or years to show itself,” he continued. “And if you only have a backup for the past month and that backup has the ransomware, you won’t be protected.”