Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Infiltrate C&C Server Behind CryptoBlock Ransomware

A command and control (C&C) server used for operating the CryptoBlock ransomware family has also been hosting stolen user credentials and other malware families, researchers say.

A command and control (C&C) server used for operating the CryptoBlock ransomware family has also been hosting stolen user credentials and other malware families, researchers say.

According to researchers from Malwarebytes Labs, who managed to gain access to the malicious server, the ransomware appears to still be under development at the moment, but is believed to have the potential of becoming a major threat. The malicious operation could even evolve into a RaaS (Ransomware as a Service), the researchers believe. 

A note on the domain informs wannabe-criminals that the RaaS will be live soon, but it appears that some users have already been infected with this malware (although the distribution mechanism isn’t clear as of now). The ransomware, however, is completely obfuscated with ConfuserEX, which is difficult to unravel, researchers say.

The security experts decided to have a look at the ransomware’s server, which they acquired during previous research, and which revealed, among other .php pages, a config.php file that included the actor’s login credentials for the server. Specifically, the file revealed “the complete master credentials (username and password) to the entire CryptoBlock server, valid for every email, database, SSH, cPanel, and more,” Nathan Scott, Malwarebytes Labs Lead Malware Intelligence Analyst, notes.

Courtesy of these, the researchers gained complete access to a threat actor’s overseas server, which allowed them to copy all of the data there, including databases, PHP files, and the personal information used to rent the server. However, because the hosting company only required an email address to host the server, and because the email was fake, the researchers couldn’t learn more on the actor.

Server logs, however, revealed that the ransomware might have already infected quite a few people, and that there were “a few IP addresses from Europe that have been visiting this server by the thousands since it was brought up.” These, the researchers say, might be the real IPs used by the threat actor owning the server while testing the malware (the most accessed part of the server was a PHP page that is used by the debug build of the ransomware server).

The server was also found to host a full database of stolen credentials from “Pay for Porn” sites, and the database of ransomware users (with IDs, BTC addresses, payments, and keys). Moreover, it revealed that the threat actor applied for a Blockchain API account, and was denied, and that other malware was being distributed from it as well.

Advertisement. Scroll to continue reading.

“The threat actor is also distributing an exploitable Ammyy Admin executable from the server. It seems they either may be scamming people into letting them onto the machine remotely, or they are simply running it silently as a malicious drive-by. The file on the server is called test.exe,” Scott explains.

Related: Attackers Leave Server Credentials in Ransomware’s Code

Related: Ransomware Module Found in Shamoon 2.0

Related: New Unlock26 Ransomware and RaaS Portal Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...