Encryptor RaaS: Yet another new Ransomware-as-a-Service on the Block

[queryFrequency]

Article: http://blog.fortinet.com/post/encryptor-raas-yet-another-new-ransomware-as-a-service-on-the-block
Link: http://encryptor3awk6px.onion/

Fortinet recently encountered a new Ransomware-as-a-Service (RaaS) advertisement called “Encryptor RaaS”. The service is advertised on an onion-based domain via Tor2Web service and Fortinet detects the associated ransomware as W32/Cryptolocker.ABD9!tr.

Did a quick test: https://vid.me/dUi8

[iTpHo3NiX]

For clear web access, https://encryptor3awk6px.onion.to

From the deep web site:
Welcome to Encryptor RaaS. (Ransomware as a Service)

The bitcoin address acts as an identifier, so don't use a shared bitcoin address!
I'm taking a 20% fee for myself.

Once set, the settings can't be changed by yourself at the moment. If you want to change something, either use a new bitcoin address or contact me by using the comments field.
The price will be changed for past and future victims. The timeout will only be changed for future victims.
Notice: The payments need to be cleared manually for security reasons, this will take at most two days.
Notice: If the encryptor or the decryptor won't work for some reason or if it's detected by AV solutions, try to redownload it, as I regularly rework the server and the exe files.

I find these services pretty interesting and nothing like seeing an encrypted hostage situation of files. Interesting find

[Deque]

Yes, interesting, but what I have seen from this specific ransomware so far was rather noobish.
E.g. the first versions of it had plain strings for the ransom notes saying "encrypted by RaaS". The following versions weren't much better, although the ransom note was gone.

[jeiphoos]

Hello,

I just found this thread.

Deque, do you have an idea on how to improve my ransomware?

AFAIK, ransomware isn't complex and I simply don't know a way in order to make it more "sophisticate", whatever that may mean.

Kind regards,
jeiphoos

Notice:
http://encryptor3awk6px.onion/evilzone.org

[queryFrequency]

Hello,

I just found this thread.

Deque, do you have an idea on how to improve my ransomware?

AFAIK, ransomware isn't complex and I simply don't know a way in order to make it more "sophisticate", whatever that may mean.

Kind regards,
jeiphoos

Notice:
http://encryptor3awk6px.onion/evilzone.org

You're the author? Interesting. First of all, make the web page that pops up more professional and serious. And make it state in exact detail how to purchase bitcoins. And don't put the text in the middle. Like how cryptowalls page was.

Oh, also don't make a german version of that .txt file. Hell, I even recommend against even providing that .txt there at all.

Make it terminate popular AV processes so people can upload it onto bot networks.

Persistence, start up, escalation. Don't use .cab, use .city or torexplorer.

cryptowall:


Summary:
More user friendly and serious web page.
A chat box on your site.

eh. lazy here. read it.

[jeiphoos]

You're the author? Interesting. First of all, make the web page that pops up more professional and serious. And make it state in exact detail how to purchase bitcoins. And don't put the text in the middle. Like how cryptowalls page was.

Thank you very much for your suggestions. I will consider them.

Oh, also don't make a german version of that .txt file. Hell, I even recommend against even providing that .txt there at all.

I saw how many german-speaking (even young) people don't even know an english word, beside those, which already are in a german dictionary, so I don't see this as an option.
I don't see why I shouldn't provide a readme file. What are your ideas to that, maybe a link to the victim website on all writable desktops and root directories?

Make it terminate popular AV processes so people can upload it onto bot networks.

I don't see AV-killing as a duty of my ransomware. Also, if a computer already is a zombie on a botnet, I can't imagine how AVs could be a problem.

Persistence, start up, escalation.

What do you mean by that?

Don't use .cab, use .city or torexplorer.

I'm now using .link for that. (Which was .city, as far as I can see. Thank you.)

cryptowall:


Summary:
More user friendly and serious web page.
A chat box on your site.

eh. lazy here. read it.

I will consider it.

[queryFrequency]

I don't see why I shouldn't provide a readme file. What are your ideas to that, maybe a link to the victim website on all writable desktops and root directories?

Since the user will become suspicious and either restart their computer into safe mode and delete it, or do all they can to kill the process. It's obvious.

I don't see AV-killing as a duty of my ransomware. Also, if a computer already is a zombie on a botnet, I can't imagine how AVs could be a problem.

Most botnet owners uses crypting to infect users. And if the victim doesn't have a AV, it most likely means they don't care if they get infected, hence they probably won't bother to pay. If they use anti-virus, they probably care for their files.

What do you mean by that?

Ignore persistence. Start-up as in, if they install new content, it encrypts it again on startup. Escalation so they can't kill off the process when they notice malware is running.

I'm now using .link for that. (Which was .city, as far as I can see. Thank you.)

Cool. The .cab one had an annoying pop-up.

[Deque]

Welcome to EZ, jeiphoos.

Deque, do you have an idea on how to improve my ransomware?

AFAIK, ransomware isn't complex and I simply don't know a way in order to make it more "sophisticate", whatever that may mean.

I love to help people out improving their software, I had never taken down any request like that in the past; but in this case helping you is in conflict with my job (and conscience too, but that's another topic).
I rate it highly that you ask the way you ask.

I would probably take part in a discussion about what makes ransomware sophisticated.
Although you are right that it is not complex, there are still only very few ransomware families that get everything right.
See also http://www.eurecom.fr/en/publication/4548/download/rs-publi-4548.pdf

Our results show that, despite a continuous improvement in the encryption, deletion and communications techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small.

[jeiphoos]

Since the user will become suspicious and either restart their computer into safe mode and delete it, or do all they can to kill the process. It's obvious.

I'm writing the readme file to the working directory of the executable in any case even before the encryption takes place. But I'm now doing the loop twice. At the first time I'm just encrypting the files and on the second time I'm writing the readme files in the directories. Additionally, I'm closing the task manager window (very) regularly.

Most botnet owners uses crypting to infect users. And if the victim doesn't have a AV, it most likely means they don't care if they get infected, hence they probably won't bother to pay. If they use anti-virus, they probably care for their files.

I always strive for FUD on VirusTotal. I know, that the AV versions on VirusTotal may not check for the same cases as a regular desktop version.
My "customers" can pack/crypt the executables as they want, as long as the execution isn't fileless (in-memory) for now. "GetModuleFileName" have to return a valid exe or dll, so GetBinaryType have to either success or fail and give the lastError ERROR_BAD_EXE_FORMAT.

Ignore persistence. Start-up as in, if they install new content, it encrypts it again on startup. Escalation so they can't kill off the process when they notice malware is running.

I didn't planned persistence (continuous running). I'm now writing it to the HKLM Run, if that fails to the HKCU Run. I'm now closing the task manager window (very) regularly.

Welcome to EZ, jeiphoos.

I love to help people out improving their software, I had never taken down any request like that in the past; but in this case helping you is in conflict with my job (and conscience too, but that's another topic).
I rate it highly that you ask the way you ask.

Thank you very much for your answer. I had and have quite many conflicting interests at my current and past positions. I guess, that I have to choose another occupation group.

I would probably take part in a discussion about what makes ransomware sophisticated.
Although you are right that it is not complex, there are still only very few ransomware families that get everything right.
See also http://www.eurecom.fr/en/publication/4548/download/rs-publi-4548.pdf

Such a discussion would be quite philosophic. I already clear the shadow volumes, I do the encryption in-place, I use RC6 and on the server-side I have random delays before and after the RSA decryption in order to confront time-based attacks on the key, so I guess that I'm good to go.
Thank you for the link.

[queryFrequency]

Awesome. Good luck with your project.