Rewterz Threat Advisory – Kraken Cryptor Ransomware deceiving as SuperAntiSpyware Security Program

A recent version Kraken Cryptor 1.5 poses as SuperAntiSpyware program, to manipulate users into installing it.

IMPACT:  CRITICAL

PUBLISH DATE:  17-09-2018

OVERVIEW:

August 2018 saw the advent of a newer ransomware called Kraken Crypto, whose latest version Kraken Crypto 1.5 masquerades as the legitimate SuperAntiSpyware anti-malware program so users may be tricked into installing it. Once your files are encrypted, there’s no free way of getting them decrypted.

ANALYSIS:

All this fiasco started when someone with a malicious intent got access to the superantispyware.com site and distributed the ransomware from there.

The Kraken Cryptor installer spotted by VirusTotal was called SUPERAntiSpywares.exe which is an imitation of the original super anti-spyware filename with an additional s. However, this malicious executable has now been removed from the website. Not only the filename, but the ransomware also uses the icon of the SuperAntiSpyware.

People who were redirected to SUPERAntiSpywares.exe executable and installed it, found their computer files encrypted due to an easily exportable embedded configuration file containing a list. It contained a detail of modules and if they are enabled, processes to stop, the public encryption key, emails, ransom prices, extensions to encrypt, files and folders to be skipped, countries and languages that won’t be encrypted, and more.

A portion of this configuration is given below.

• The ransomware will create a file called C:\ProgramData\Safe.exe and execute it.
• This program will then enumerate a list of all the Event Viewer logs and redirect the output to the C:\ProgramData\EventLog.txt file.
• The program will then remove all the logs listed in the Eventlog.txt.
• Kraken Cryptor will also check the language and location of the victim, and if in the following countries, will not encrypt computers running on languages from Armenia, Azerbaijan, Belarus, Estonia, Georgia, Iran, Kyrgyzstan, Kazakhstan, Lithuania, Latvia, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, and Brazil.
• Any processes that disable file encryption by keeping databases open will then be stopped.

These include:

agntsvcagntsvc, agntsvcencsvc, agntsvcisqlplussvc, dbeng50, dbsnmp, firefoxconfig, msftesql, mydesktopqos, mydesktopservice, mysqld, mysqld-nt, mysqld-opt, ocomm, ocssd, oracle, sqbcoreservice, sqlagent, sqlbrowser, sqlservr, sqlwriter, sqlwb, synctime, tbirdconfig, and xfssvccon

• After terminating these processes, the ransomware will scan and encrypt files with the following extensions.

• The ransomware will also download SDelete from the Sysinternals site and execute a batch file called release.bat which will clear up the SDelete and overwrite all free space of drive with zeros so that file recovery gets harder.
• It will also cause the computer to shut down, disable Windows startup recovery, delete Windows backups, and delete shadow volume copies. In rare cases, the shadow volume copies can still be recovered to gain backup.

INDICATORS OF COMPROMISE

Hash:

• SHA256: 9c88c66f44eba049dcf45204315aaf8ba1e660822f9e97aec51b1c305f5fdf14

Files:

• C:\ProgramData\Safe.exe
• C:\ProgramData\EventLog.txt
• # How to Decrypt Files.html (the ransom note which is found in every folder)

The ransom note contains a unique victim key and instructions on how to make a 0.125 bitcoin ransom payment.

Associated emails:

• shortmangnet@420blaze.it
• BM-2cUEkUQXNffBg89VwtZi4twYiMomAFzy6o@bitmessage.ch

MITIGATION

• Most ransomware and malicious codes can be avoided through vigilant online behavior.
• Never trust an email attachment if it’s not from a verified source.
• Always keep a reliable and tested backup of your data elsewhere.
• Install good quality security software or consult a known information security firm for your security needs.
• Avoid downloading or installing unverified software from elsewhere.
• Enforce strict policies for account lock out to save it from brute force.
• Make sure all software are updated to avoid all security vulnerabilities coming from outdated software.