A recent version Kraken Cryptor 1.5 poses as SuperAntiSpyware program, to manipulate users into installing it.
PUBLISH DATE: 17-09-2018
August 2018 saw the advent of a newer ransomware called Kraken Crypto, whose latest version Kraken Crypto 1.5 masquerades as the legitimate SuperAntiSpyware anti-malware program so users may be tricked into installing it. Once your files are encrypted, there’s no free way of getting them decrypted.
All this fiasco started when someone with a malicious intent got access to the superantispyware.com site and distributed the ransomware from there.
The Kraken Cryptor installer spotted by VirusTotal was called SUPERAntiSpywares.exe which is an imitation of the original super anti-spyware filename with an additional s. However, this malicious executable has now been removed from the website. Not only the filename, but the ransomware also uses the icon of the SuperAntiSpyware.
People who were redirected to SUPERAntiSpywares.exe executable and installed it, found their computer files encrypted due to an easily exportable embedded configuration file containing a list. It contained a detail of modules and if they are enabled, processes to stop, the public encryption key, emails, ransom prices, extensions to encrypt, files and folders to be skipped, countries and languages that won’t be encrypted, and more.
A portion of this configuration is given below.
agntsvcagntsvc, agntsvcencsvc, agntsvcisqlplussvc, dbeng50, dbsnmp, firefoxconfig, msftesql, mydesktopqos, mydesktopservice, mysqld, mysqld-nt, mysqld-opt, ocomm, ocssd, oracle, sqbcoreservice, sqlagent, sqlbrowser, sqlservr, sqlwriter, sqlwb, synctime, tbirdconfig, and xfssvccon
INDICATORS OF COMPROMISE
The ransom note contains a unique victim key and instructions on how to make a 0.125 bitcoin ransom payment.