In a joint investigation, cybersecurity research firms the Recorded Future and McAfee have discovered that Kraken Cryptor, a ransomware program gaining traction on the dark web, has expanded its market even further with a new distribution partner in the Fallout Exploit Kit.
Kraken Cryptor is able to prey on victims and gain revenue through its affiliate program, a ransomware-as-a-service (RaaS) model that was first discovered by security researchers back in August.
The malware was released through a Russian-language forum by a username observed as “ThisWasKraken.”
It has been a very popular program with many cybercriminals, mostly from the dark web, who are using it to exploit unsuspecting antivirus software consumers.
The cybercriminals are targeting users who go for the antivirus program known as SuperAntiSpyware.
Kraken Cryptor’s partnership with the Fallout Exploit Kit allows it new and expanded avenues to deliver the malware to customers.
Origins of Kraken
It was back in mid-September when the malware was reported to disguise as a cybersecurity solution on the website of SuperAntiSpyware, entirely affecting any user who attempted to download the legitimate software.
The Fallout Exploit Kit is popularly known by many for distributing the infamous GandCrab ransomware.
It’s an added advantage for the malware developers after partnering with the Fallout Exploit Kit to reach more criminal customers worldwide.
According to Recorded Future’s report, every affiliate partner associated with the Kraken ransomware-as-a-service must part with a fee to get exclusive access to the program.
It’s not common with most encrypted underground forums to ask for a registration fee, as most of the users gain trust for each other after referrals.
Key Features of the Ransomware
In a Russian-language forum on the dark web, the developer(s) of Kraken Cryptor listed out the features of the malware. To summarize, the key components included:
- The malware’s source code uses the programming language C# (.NET 3.5).
- The file size is small, at 85 KB.
- The malware is fully autonomous.
- The program collects the victim’s system information as an encrypted message for the affiliate to refer.
- It has a file size limit used in data encryption.
- Kraken uses a hybrid combination of encryption algorithms for secure and fast encryption. Each encrypted file has a unique key used by the administrators in regulating the affiliate members to remit their obligated cut.
- It’s also seen to enable the use of network resources, in addition to adding an expansion bypass mode which is used for encrypting files mostly on non-operating system disks.
- The developers made it impossible for any victim to recover the files using a recovery center or any other sophisticated tools without parting with the requested ransom.
- The developers were also intent on adding anti-debug and anti-forensic methods.
A Closer Look at Kraken
The developers of the Kraken Cryptor malware designed it to utilize an affiliate program to operate properly as a ransomware-as-a-service.
This is a popular business scheme which has been put in place by other ransomware families, including the notorious GandCrab ransomware.
According to the joint report, the researchers were able to note that the affiliate members were given a new version of the malware after every 15 days, which will entirely assist to keep the payload fully anonymous from the anti-malware installed by the victims and other targets.
As the researchers came to note, after an affected victim requested for a free decryption test, affiliate members were supposed to send one of the victim’s files accompanied by its associated key to the support service.
From there, they can then decrypt the files and return them to the same affiliate member to forward the decrypted file to the victim.
Immediately, the victim pays the whole agreed amount. The affiliate member is expected to calculate a given percentage of the received funds and send them to the Kraken developers.
The RaaS developers then send a decryptor key to the affiliate member who forwards it the victim to get access to their personal files.
This is a simple system which has been put in place by the developers to ensure the affiliate members do not rip them off their cut.
This method of making money through affiliate programs has been adopted by many developers to ensure they are relatively safe as they are not directly exposed to certain risks.
Researchers observed that in the current version of Kraken Cryptor, the developers have reduced their cut from 25 percent to 20 percent.
This is a move likely to attract many potential customers who will join their affiliate programs and therefore increase their returns.
Currently, to join the affiliate program, the developers are charging each account holder a fee of around $50.
According to Recorded Future and McAfee, the developers have listed a number of countries where the ransomware cannot be used.
The countries include Armenia, Azerbaijan, Belarus, Estonia, Georgia, Iran, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.
Recently, the RaaS developers released a 2.0 version of the affiliate programs. It was during the same period that the Kraken Cryptor developers published a map that was showing the distribution of their affected victims per country.
In the map, it was clear that the malware had affected victims from countries that are listed previously with Kraken not available.
Use of Video Promotions
In the series of releases from version 1.2 to the latest 2.0 and above, the developers have been creating videos that are showcasing the capabilities of the malware to potential customers.
Researchers analyzed the video’s metadata which revealed that it was created along with the initial version that was released in August this year.
From the report, it is observed that the only mode of payment which is accepted by the Kraken Cryptor developers is Bitcoin.
The developers chose online gambling site BitcoinPenguin as a channel for laundering their revenue.
The report noted that BitcoinPenguin was likely chosen because it does not request for identity verification, in contrast to other online gambling platforms.
Latest posts by C.M. (see all)
- Australian Man Faces Charges for Running $17M Drug Syndicate on the Dark Web - April 23, 2019
- A Look at Baldr, a New Type of Malware Circulating in Hacking Forums - April 23, 2019
- Silk Road 2.0 Founder Sentenced to 5 Years in Prison - April 22, 2019