The Rise and Fall of Encryptor RaaS

by Stephen Hilt and Fernando Mercês

Back in July 2015, a new ransomware as a service named “Encryptor RaaS” (detected by Trend Micro as RANSOM_CRYPRAAS.SM) entered the threat scene, rivaling or at least expecting to succeed the likes of similar get-rich-quick schemes from Tox and ORX Locker. The newcomer appeared to be a dark horse: it was multiplatform, had an appealing price, and empowered budding malefactors an easier entry point to cybercrime. It posed a considerable threat to users and businesses, as Encryptor RaaS attacks can vary based on the customizations applied by the affiliate.

Encryptor RaaS’s purveyor created a full web panel for his patrons, accessible only via the Tor network, that enabled them to manage victims’ systems. Bitcoin was the preferred transaction currency. Compared to other ransomware such as Cerber, whose developers earn 40% in commissions, Encryptor RaaS has a more attractive proposition. Affiliates only had to dole out at least 5% of their revenue to continue distributing the ransomware.

As early as March 2016, we noticed that Encryptor RaaS’s developer exerted great effort to make it ‘fully undetectable.’ This included signing the ransomware with valid certificates, as well as frequently using counter-AV services and crypters.

Four months after, however, the service abruptly closed up shop. The good: one less ransomware to be worried about. The bad: the developer decided to wipe the master key. The ugly: victims can no longer recover their encrypted files. What made Encryptor RaaS suddenly crash and burn?

The Modus Operandi

Encryptor RaaS’s service was advertised in surface web and darknet forums. Malefactors need only contact the developer via his Tor site to show interest. No technical expertise is needed, apart from knowing how to set up a Bitcoin Wallet ID, which will be attached to the ransomware they will distribute. They also get a “customer ID,” so each file has a unique “owner.” Affiliates can specify the ransom amount and choose which methods to use to spread their bespoke malware.

Written purely in C language, Encryptor RaaS uses a combination of RC6 and RSA-2048 algorithms to encrypt 231 file types. It also generates an ID that victims can use to access its web panel and read payment instructions.

Figure 1. The ransom note left in each folder of an encrypted volume, written in English and German

Encryptor RaaS’s entire infrastructure is hidden within the Tor network. Naturally, victims were instructed to use services such as Tor2Web or the Tor Browser to access it. Victims could use a chat box to reach out to the cybercriminals. The bad guys often limited their communication to curt phrases along the lines of, “just pay the ransom and you’ll have your files back.”

Figure 2. Web panel log-in interface for victims

Figure 3. Snapshot of the page a victim is redirected to after logging in to the web panel

Ahead of the Curve?

To stay in the game means to get his customers’ business, which requires that the malware has to pique more distributors’ interest (read: making it more resistant to AV detection). To that end, the developer started offering a file-signing service for his affiliates, too. The purveyor touted he had access to various stolen Authenticodes that allowed him to sign Encryptor RaaS samples for free, apart from making them available via auctions.

Figure 4. The developer giving stolen Authenticodes to the highest bidder

Figure 5. One of the certificates used to sign Encryptor RaaS samples for Windows; abusing and stealing digital certificates, especially those issued by open certificate authorities, are one of the many methods cybercriminals use to hide their malware from AV detection.

The developer’s efforts bore fruit—to an extent. Encryptor RaaS was often enhanced to become as ‘fully undetectable’ as possible. The ransomware was fairly successful in evading AV detection: 2 out of 35 in terms of pure static engine analysis, excluding modern AV features such as behavioral detection. Another variant (RANSOM_CRYPRAAS.B) was also released that targeted Linux servers and desktops, which we’ve confirmed to work as advertised.

Figure 6. Encryptor RaaS’s detection rate as of May 5, 2016

Encryptor RaaS’s developer goes by the handle “jeiphoos,” who has been notably very active in underground forums, even social media. After scouring the web, we found a Facebook post written by a certain individual who may be directly involved with the ransomware’s infrastructure. Coincidence? The Facebook status update, published last March 1, matched the time Encryptor RaaS resurfaced with a new variant. He also had a keen interest in Bitcoin transactions, as shown in his Twitter account.

Figure 7. A Facebook status update flaunting Encryptor RaaS’s features (left); snapshot of the Twitter account (right)

Crossing the Rubicon

Encryptor RaaS seemed to be on a roll. Early into the investigation, however, one of its C&C servers—either abandoned by the developer or mistakenly left open to anyone on the Internet—was exposed and not anonymized by Tor. Accordingly indexed by Shodan, Encryptor RaaS was found hosting its systems on a legitimate cloud service. By late June, one of the systems was seized.

Figure 8. Search result for “Encryptor RaaS” on Shodan (left); snapshot showing one of the C&C servers seized (right)

Encryptor RaaS’s entire infrastructure was immediately taken down, presumably as a precautionary measure by its developer. A few days later, three more of his servers were seized. After bringing the entire system back online after four days, however, the developer suddenly called it quits.

Figure 9. The developer stating that three of Encryptor RaaS’s servers were seized

Figure 10. Encryptor RaaS’s developer shutting down his operation

The abrupt shutdown notice immediately cascaded to all the main pages of decryptor sites, and Encryptor RaaS’s main site: its systems will be shut down by midnight, without releasing the master key. We combed through Encryptor RaaS sites to determine when “midnight” exactly was, and if the time of reference was the developer’s local time zone.

Figure 11. The message shown to victims after the shutdown notice

A nifty tidbit: as early as April 2016, the support chat/forum for affiliates was already rife with bad blood between the developer and certain frequenters of the site, some of whom claimed to have bought the ransomware service. Encryptor RaaS’s systems went down around 5 PM GMT on July 5, 2016, with the developer leaving victims a message that they can no longer recover their files, as he deleted the master key.

Figure 12. The developer’s last message to victims

The rise and fall of Encryptor RaaS is a medley of different stories: the appeal of getting rich quick with the littlest effort, an intriguing chain of events seemingly triggered by a blunder, and how it best exemplifies that there’s no honor among thieves. The key takeaway? What’s priceless to the victims essentially means nothing to these bad guys.

Trend Micro Ransomware Solutions

Encryptor RaaS’s downfall highlights the havoc ransomware can wreak to individual users and businesses. It also underscores the importance of a sound backup strategy, as well as a proactive, multilayered approach to security—from the gateway, endpoints, and networks to servers.

Trend Micro detects Encryptor RaaS as RANSOM_CRYPRAAS.SM, and RANSOM_CRYPRAAS.B for the Linux variant. The indicators of compromise (IoCs)/related hashes for unsigned, signed, and Linux variants can be found in our appendix.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

The Rise and Fall of Encryptor RaaS

Read more: The Rise and Fall of Encryptor RaaS