The fall of the Encryptor RaaS also thanks to Shodan

Law enforcement and security experts have dismantled the Encryptor RaaS architecture by localizing one of its servers with Shodan.

Shodan is a search engine for internet-connected devices, it is a precious instrument for IT experts and hackers that use it to find assess systems exposed on the Internet.

The information gathered via Shodan could allow attackers to identify and attack vulnerable and poorly protected systems online.

We cannon underestimate also its usefulness in the fight against botnets. This summer security experts and law enforcement used the popular search engine to shut down the Encryptor RaaS botnet used to spread ransomware.

The Encryptor RaaS botnet was offering ransomware as a service allowing wannabe criminals to create their own malware and distribute them without any specific knowledge.

This model of sale allows criminals to create the malware and rent the infrastructure to deploy it and collect the payments made by the victims. Operators behind the service maintain a fee for the service.

“Encryptor RaaS’s purveyor created a full web panel for his patrons, accessible only via the Tor network, that enabled them to manage victims’ systems. Bitcoin was the preferred transaction currency.” reads a blog post published by Trend Micro. “Compared to other ransomware such as Cerber, whose developers earn 40% in commissions, Encryptor RaaS has a more attractive proposition. Affiliates only had to dole out at least 5% of their revenue to continue distributing the ransomware.”

Encryptor was first spotted in 2015 and the experts noticed a spike in the number of victims in March 2016 when experts from Cylance spotted 1,818 victims.

“Encryptor RaaS has been around for nearly a year, since mid-2015. This piece of ransomware is available exclusively on an .onion domain on the TOR network. The ransomware author charges a 20% fee for every infected victim who pays the ransom, which is made in Bitcoin.

The Encryptor RasS numbers to date are as follows:

Total Number of Victims = 1818
Total Number of Victims Who Have Paid = 8 (0.44% of total users infected)” reads the analysis published by Cylance.

Bad actors behind the Encryptor RaaS advertise their malware as “fully undetectable” and it seems to be true according to data recently provided by NoDistribute online virus scanner (2 of 35 antivirus are able to detect the threat).

Security researchers and law enforcement have exploited the features implemented by Shodan to discover one of the servers of the Encryptor RaaS that was poorly configured and exposed to the Internet, instead of being hidden inside the Tor anonymizing network.

The authorities seized the server in June and localized other 3 machines in a few days.

“Encryptor RaaS seemed to be on a roll. Early into the investigation, however, one of its C&C servers—either abandoned by the developer or mistakenly left open to anyone on the Internet—was exposed and not anonymized by Tor. Accordingly indexed by Shodan, Encryptor RaaS was found hosting its systems on a legitimate cloud service. By late June, one of the systems was seized.” states TrendMicro.



Unfortunately, the operators behind the Encryptor RaaS have wiped the master decryption key once spotted by the law enforcement, this means that victims of the ransomware will have no solution to rescue the encrypted files.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Encryptor RaaS, Shodan)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Adobe Commerce and Magento, SolarWinds Serv-U, and VMware vCenter Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe Commerce and Magento, SolarWinds Serv-U, and…

2 hours ago

Threat actors attempted to capitalize CrowdStrike incident

CrowdStrike warns that threat actors are exploiting the recent IT outage caused by their faulty…

17 hours ago

Russian nationals plead guilty to participating in the LockBit ransomware group

Two Russian nationals pleaded guilty to participating in the LockBit ransomware group and carrying out…

1 day ago

MediSecure data breach impacted 12.9 million individuals

Personal and health information of 12.9 million individuals was exposed in a ransomware attack on…

2 days ago

CrowdStrike update epic fail crashed Windows systems worldwide

Windows machines worldwide displayed BSoD screen following a faulty update pushed out by cybersecurity firm…

2 days ago

Cisco fixed a critical flaw in Security Email Gateway that could allow attackers to add root users

Cisco has addressed a critical vulnerability that could allow attackers to add new root users…

2 days ago

This website uses cookies.