Security researchers earlier this year managed to zero-in on the Encryptor Ransomware-as-a-Service (Raas), which forced the developer to shut down the operation, but without releasing the master key to help victims.
The ransomware service first emerged in July 2015 as a multiplatform threat at an appealing price, and managed to become a considerable threat to users and businesses fast, Trend Micro researchers reveal. Attacks leveraging this piece of ransomware could be easily tailored by affiliates, and Encryptor RaaS author created a full web panel for his patrons, which could be accessed only via the Tor network.
The same as with other ransomware, Bitcoin was the preferred transaction currency, and the earnings looked highly appealing for affiliates, as they had to share only 5% of their revenue to the author. Other similar services out there, such as Cerber, would require affiliates to pay 40% in commissions, Trend Micro explains (the Cerber campaigns generate an estimated $2.3 million in annual revenue).
Encryptor RaaS was being advertised in surface web and darknet forums and interested parties only needed to contact the developer to show interest. Technical expertise wasn’t a requirement, though affiliates needed to know how to set up a Bitcoin Wallet ID, which would be attached to the distributed ransomware variant. Affiliates were also provided with a “customer ID” and could choose the ransom amount and the distribution method.
The malware was written purely in C language, used a combination of RC6 and RSA-2048 algorithms to encrypt 231 file types, generated an ID for each victim, and had its entire infrastructure hidden within the Tor network. Victims were instructed to use Tor2Web or the Tor Browser to access the payment site and could also use a chat box to contact the cybercriminals.
The ransomware’s author focused on avoiding detection and even started offering a file-signing service for affiliates, saying that he had access to stolen Authenticodes. Encryptor RaaS was improved to become virtually undetectable, being able to trick static engine analysis, but still being caught by behavioral detection.
While analyzing the threat, researchers discovered that the actor left a command and control (C&C) server either abandoned or mistakenly open: it was exposed and not anonymized by Tor. Thus, researchers determined that Encryptor RaaS was being hosted on a legitimate cloud service, and one of the RaaS’s systems was seized in June.
The operator immediately took the infrastructure down as a precautionary measure, but more servers were seized a few days later. However, the developer managed to bring the entire system back online after four days, and also announced that it would shut down the operation. A shutdown notice was posted on all the main pages of decryptor sites, and Encryptor RaaS’s main site.
“Encryptor RaaS’s systems went down around 5 PM GMT on July 5, 2016, with the developer leaving victims a message that they can no longer recover their files, as he deleted the master key,” Trend Micro reveals. Thus, while there’s one less ransomware family to worry about, there are users left without the possibility of recovering their files.
Related: Locky Ransomware Drops Offline Mode
Related: New MarsJoke Ransomware Targets Government Agencies

More from Ionut Arghire
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
- City of Dallas Details Ransomware Attack Impact, Costs
- In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- TransUnion Denies Breach After Hacker Publishes Allegedly Stolen Data
Latest News
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
- City of Dallas Details Ransomware Attack Impact, Costs
- In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
- Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
