The Rise and Fall of Encryptor RaaS
by Stephen Hilt and Fernando Mercês
Back in July 2015, a new ransomware as a service named “Encryptor RaaS” (detected by Trend Micro as RANSOM_CRYPRAAS.SM) entered the threat scene, rivaling or at least expecting to succeed the likes of similar get-rich-quick schemes from Tox and ORX Locker. The newcomer appeared to be a dark horse: it was multiplatform, had an appealing price, and empowered budding malefactors an easier entry point to cybercrime. It posed a considerable threat to users and businesses, as Encryptor RaaS attacks can vary based on the customizations applied by the affiliate.
Encryptor RaaS’s purveyor created a full web panel for his patrons, accessible only via the Tor network, that enabled them to manage victims’ systems. Bitcoin was the preferred transaction currency. Compared to other ransomware such as Cerber, whose developers earn 40% in commissions, Encryptor RaaS has a more attractive proposition. Affiliates only had to dole out at least 5% of their revenue to continue distributing the ransomware.
As early as March 2016, we noticed that Encryptor RaaS’s developer exerted great effort to make it ‘fully undetectable.’ This included signing the ransomware with valid certificates, as well as frequently using counter-AV services and crypters.
Four months after, however, the service abruptly closed up shop. The good: one less ransomware to be worried about. The bad: the developer decided to wipe the master key. The ugly: victims can no longer recover their encrypted files. What made Encryptor RaaS suddenly crash and burn?
The Modus Operandi
Encryptor RaaS’s service was advertised in surface web and darknet forums. Malefactors need only contact the developer via his Tor site to show interest. No technical expertise is needed, apart from knowing how to set up a Bitcoin Wallet ID, which will be attached to the ransomware they will distribute. They also get a “customer ID,” so each file has a unique “owner.” Affiliates can specify the ransom amount and choose which methods to use to spread their bespoke malware.
Written purely in C language, Encryptor RaaS uses a combination of RC6 and RSA-2048 algorithms to encrypt 231 file types. It also generates an ID that victims can use to access its web panel and read payment instructions.
Encryptor RaaS’s entire infrastructure is hidden within the Tor network. Naturally, victims were instructed to use services such as Tor2Web or the Tor Browser to access it. Victims could use a chat box to reach out to the cybercriminals. The bad guys often limited their communication to curt phrases along the lines of, “just pay the ransom and you’ll have your files back.”
Ahead of the Curve?
To stay in the game means to get his customers’ business, which requires that the malware has to pique more distributors’ interest (read: making it more resistant to AV detection). To that end, the developer started offering a file-signing service for his affiliates, too. The purveyor touted he had access to various stolen Authenticodes that allowed him to sign Encryptor RaaS samples for free, apart from making them available via auctions.
Figure 5. One of the certificates used to sign Encryptor RaaS samples for Windows; abusing and stealing digital certificates, especially those issued by open certificate authorities, are one of the many methods cybercriminals use to hide their malware from AV detection.
The developer’s efforts bore fruit—to an extent. Encryptor RaaS was often enhanced to become as ‘fully undetectable’ as possible. The ransomware was fairly successful in evading AV detection: 2 out of 35 in terms of pure static engine analysis, excluding modern AV features such as behavioral detection. Another variant (RANSOM_CRYPRAAS.B) was also released that targeted Linux servers and desktops, which we’ve confirmed to work as advertised.
Encryptor RaaS’s developer goes by the handle “jeiphoos,” who has been notably very active in underground forums, even social media. After scouring the web, we found a Facebook post written by a certain individual who may be directly involved with the ransomware’s infrastructure. Coincidence? The Facebook status update, published last March 1, matched the time Encryptor RaaS resurfaced with a new variant. He also had a keen interest in Bitcoin transactions, as shown in his Twitter account.
Crossing the Rubicon
Encryptor RaaS seemed to be on a roll. Early into the investigation, however, one of its C&C servers—either abandoned by the developer or mistakenly left open to anyone on the Internet—was exposed and not anonymized by Tor. Accordingly indexed by Shodan, Encryptor RaaS was found hosting its systems on a legitimate cloud service. By late June, one of the systems was seized.
Encryptor RaaS’s entire infrastructure was immediately taken down, presumably as a precautionary measure by its developer. A few days later, three more of his servers were seized. After bringing the entire system back online after four days, however, the developer suddenly called it quits.
The abrupt shutdown notice immediately cascaded to all the main pages of decryptor sites, and Encryptor RaaS’s main site: its systems will be shut down by midnight, without releasing the master key. We combed through Encryptor RaaS sites to determine when “midnight” exactly was, and if the time of reference was the developer’s local time zone.
A nifty tidbit: as early as April 2016, the support chat/forum for affiliates was already rife with bad blood between the developer and certain frequenters of the site, some of whom claimed to have bought the ransomware service. Encryptor RaaS’s systems went down around 5 PM GMT on July 5, 2016, with the developer leaving victims a message that they can no longer recover their files, as he deleted the master key.
The rise and fall of Encryptor RaaS is a medley of different stories: the appeal of getting rich quick with the littlest effort, an intriguing chain of events seemingly triggered by a blunder, and how it best exemplifies that there’s no honor among thieves. The key takeaway? What’s priceless to the victims essentially means nothing to these bad guys.
Trend Micro Ransomware Solutions
Encryptor RaaS’s downfall highlights the havoc ransomware can wreak to individual users and businesses. It also underscores the importance of a sound backup strategy, as well as a proactive, multilayered approach to security—from the gateway, endpoints, and networks to servers.
Trend Micro detects Encryptor RaaS as RANSOM_CRYPRAAS.SM, and RANSOM_CRYPRAAS.B for the Linux variant. The indicators of compromise (IoCs)/related hashes for unsigned, signed, and Linux variants can be found in our appendix.
Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.Ransomware Behavior MonitoringApplication ControlVulnerability ShieldingWeb Security
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection