Encryptor RaaS Shuts Down Without Releasing Master Key

Security researchers earlier this year managed to zero-in on the Encryptor Ransomware-as-a-Service (Raas), which forced the developer to shut down the operation, but without releasing the master key to help victims.

The ransomware service first emerged in July 2015 as a multiplatform threat at an appealing price, and managed to become a considerable threat to users and businesses fast, Trend Micro researchers reveal. Attacks leveraging this piece of ransomware could be easily tailored by affiliates, and Encryptor RaaS author created a full web panel for his patrons, which could be accessed only via the Tor network.

The same as with other ransomware, Bitcoin was the preferred transaction currency, and the earnings looked highly appealing for affiliates, as they had to share only 5% of their revenue to the author. Other similar services out there, such as Cerber, would require affiliates to pay 40% in commissions, Trend Micro explains (the Cerber campaigns generate an estimated $2.3 million in annual revenue). 

Encryptor RaaS was being advertised in surface web and darknet forums and interested parties only needed to contact the developer to show interest. Technical expertise wasn’t a requirement, though affiliates needed to know how to set up a Bitcoin Wallet ID, which would be attached to the distributed ransomware variant. Affiliates were also provided with a “customer ID” and could choose the ransom amount and the distribution method.

The malware was written purely in C language, used a combination of RC6 and RSA-2048 algorithms to encrypt 231 file types, generated an ID for each victim, and had its entire infrastructure hidden within the Tor network. Victims were instructed to use Tor2Web or the Tor Browser to access the payment site and could also use a chat box to contact the cybercriminals.

The ransomware’s author focused on avoiding detection and even started offering a file-signing service for affiliates, saying that he had access to stolen Authenticodes. Encryptor RaaS was improved to become virtually undetectable, being able to trick static engine analysis, but still being caught by behavioral detection.

While analyzing the threat, researchers discovered that the actor left a command and control (C&C) server either abandoned or mistakenly open: it was exposed and not anonymized by Tor. Thus, researchers determined that Encryptor RaaS was being hosted on a legitimate cloud service, and one of the RaaS’s systems was seized in June.

The operator immediately took the infrastructure down as a precautionary measure, but more servers were seized a few days later. However, the developer managed to bring the entire system back online after four days, and also announced that it would shut down the operation. A shutdown notice was posted on all the main pages of decryptor sites, and Encryptor RaaS’s main site.

“Encryptor RaaS’s systems went down around 5 PM GMT on July 5, 2016, with the developer leaving victims a message that they can no longer recover their files, as he deleted the master key,” Trend Micro reveals. Thus, while there’s one less ransomware family to worry about, there are users left without the possibility of recovering their files.

Related: Locky Ransomware Drops Offline Mode

Related: New MarsJoke Ransomware Targets Government Agencies