Kraken Cryptor

Kraken Cryptor is a type of Ransomware-as-a-Service (RaaS) targeting Windows OS and is distributed through various infection methods. Several versions of Kraken Cryptor ransomware have been identified: 1.2, 1.3, 1.5, 1.53, and 1.6.

Kraken Cryptor 1.5 initially spread in September 2018 by disguising itself as the legitimate anti-malware solution, SUPERAntiSpyware. The malicious file deceived users due to its availability for download off of SUPERAntiSpyware’s official website and by utilizing an icon identical to that of the legitimate software. Additionally, an extra ‘s’ was appended to the end of the malicious file name, SUPERAntiSpywares.exe, making it nearly identical to the authentic name. It is unclear how users were directed to the malicious download link; however, users who installed from any normal links received the legitimate software download and were unaffected. The fraudulent installer is no longer available on superantispyware.com.

In October 2018, both Kraken Cryptor 1.5 and 1.6 were distributed via the Fallout Exploit Kit (EK). Victims came into contact with the malware by visiting compromised websites that eventually redirected them to a page hosting the Fallout EK. The EK attempts to exploit the Windows CVE-2018-8174 VBScript vulnerability to install the ransomware.

Once installed, Kraken Cryptor creates a file called C:\ProgramData\Safe.exe. Safe.exe enumerates Event Viewer logs in a C:\ProgramData\EventLog.txt file, and then deletes all the listed logs. The ransomware checks its host for the country of origin, and may not encrypt the device if it is located in a certain region. The ransomware terminates multiple system processes on the computer in order to begin encrypting files. Kraken Cryptor also downloads SDelete from the Sysinternals site and executes a release.bat batch file to overwrite all free space on the victim’s drive with zeros, making it difficult to recover files and causing the computer to shutdown, delete Windows backups, disable startup recovery, and delete any shadow volume copies.

In the SUPERAntiSpyware 1.5 distribution, encrypted file names are incremented numerically with a .onion extension in the form 00000000-Lock.onion, 00000001-Lock.onion, 00000002-Lock.onion, etc. A ransom note titled #How to Decrypt Files.html is placed into every encrypted folder. It demands bitcoin be paid to shortmangnet@420blaze.it or BM-2cUEkUQXNffBg89VwtZi4twYiMomAFzy6o@bitmessage.ch in exchange for decryption.

In the Fallout EK 1.6 distribution, files are renamed with a random name and random extension. A ransom note titled #How to Decrypt Files.html is placed into every encrypted folder. It demands bitcoin be paid to onionhelp@memeware.net or BM-2cWdhn4f5UyMvruDBGs5bK77NsCFALMJkR@bitmessage.ch.

There is currently no decryption tool available for the Kraken Cryptor ransomware. It is recommended you restore from Shadow Volume Copies or backups, if available.

UPDATE 10/31/18: A new version of Kraken Cryptor, v.2, is also being marketed on the dark web as a ransomware-as-a-service (RaaS). Affiliates who sign up to create their own ransomware campaigns currently receive an 80 percent commission from each victim’s ransom payment.

Technical Details & Reporting:

  • September 2018: Kraken Cryptor Ransomware Masquerading as SUPERantispyware Security Program (Bleeping Computer)

  • October 2018: Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware (Bleeping Computer)

  • October 2018: Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption (Bleeping Computer)

  • October 2018: Kraken Cryptor Ransomware Gains Popularity Among Cybercriminals (Recorded Future)

Ransomware VariantsNJCCICkraken cryptor