Kraken Cryptor ransomware merges with Fallout exploit kit, fees slashed to gain followers

The ransomware-as-a-service is attempting to drum up more business in the Internet's underbelly.

A new ransomware variant which is making waves in the Dark Web, Kraken Cryptor, has now been added to the Fallout exploit kit.

Collaborative research conducted by Insikt Group and McAfee, with the assistance of Recorded Future, has revealed the inclusion of the malware into the exploit kit as the latest development in the ransomware's sales and marketing push.

Kraken Cryptor -- not to be confused with the Kraken ransomware which was first distributed in 2016 -- is a new ransomware-as-a-service (RaaS) program which was spotted in August this year.

Only a month after its debut in a Russian-speaking underground forum, the malware appeared on the SuperAntiSpyware website, masquerading as a genuine anti-spyware program and infecting users who attempted to download legitimate SuperAntiSpyware software.

Kraken Cryptor is a form of ransomware which spreads through the typical spam and phishing campaign vectors but communicates with its victims via email rather than through a standard command-and-control (C2) setup.

This reduces the risk of exposure and closure by law enforcement, as there is no accessible, central panel in use which details the ransomware's activities or victims.

The latest version of the 32-bit ransomware, v.2.0.7 -- as described by the operator in a forum post -- is able to work on and offline. Written in C#, Kraken Cryptor primarily targets Windows 8, 8.1, and 10 operating systems, utilizes AES-128/256 encryption and other ciphers and is able to encrypt both hard drives and shared storage devices on a network.

CNET: MacBook Air 2018 adds Touch ID and gets a new security chip

The ransomware also downloads and executes a utility which overwrites all free space on an infected drive with zeros, which makes recovery far harder, and disables the recovery boot option.

The developer behind the ransomware goes by the name ThisWasKraken. The paid member -- which, generally speaking, is more distrusted than a free account issued to prominent figures in the underground -- distributes the malware through an affiliate program.

It is believed the developer is potentially part of a team which could be based in countries including Iran, Brazil, and former Soviet bloc areas.

In return for access to the ransomware-as-a-service (RaaS) product, users pay a percentage of their illicit proceeds to the developers. In order to drum up more interest, the threat actors behind Kraken Cryptor have recently slashed their profit margin from 25 percent to 20 percent.

Bitcoin is the only virtual currency at present which is accepted for blackmail payments. The researchers say that an online gambling website, BitcoinPenguin, has been chosen as the "primary money laundering conduit."

TechRepublic: Cybersecurity no. 1 challenge for CXOs, but only 39% have a defense strategy

"Although not unusual, it is still very uncommon for criminal actors -- specifically ransomware operators -- to depart from more traditional cryptocurrency exchangers when laundering stolen funds," the researchers note. "It is likely that one of the decisive factors for this unusual choice was due to the fact that BitcoinPenguin does not require any identity verification of its members, allowing anyone to maintain an anonymous cryptocurrency wallet there."

The malware is now being delivered through the Fallout exploit kit which has been connected to the distribution of the Gandcrab ransomware in recent months.

Forum messages posted by ThisWasKraken indicate that alongside the affiliate program and addition of the exploit kit as an infection vector, the threat actors are also purchasing hijacked Internet traffic.

See also: Zero-days, fileless attacks are now the most dangerous threats to the enterprise

There is a twist when it comes to victims, however.

In the same manner as Gandcrab operators, who had a change of heart when it came to blackmailing victims in war-torn Syria, the Kraken Cryptor RaaS will not permit targets in countries including Syria, Brazil, Iran, and Armenia, among other countries -- many of which are in the former Soviet bloc.

"The existence of the list of countries that are not allowed to be targeted indicates that the members of this possible international hacking group may reside in these nations," the team says. "Such behavior is usually considered as a security step by the criminals who do not want to be searched by local law enforcement agencies."

Affiliate programs, exploit kits, and enticing 'licensing' deals for the ransomware which have all been established in only a few months suggests that this is a threat which is one to watch in the cybercrime space.

Previous and related coverage