Malware

The fall of the Encryptor RaaS also thanks to Shodan

Law enforcement and security experts have dismantled the Encryptor RaaS architecture by localizing one of its servers with Shodan.

Shodan is a search engine for internet-connected devices, it is a precious instrument for IT experts and hackers that use it to find assess systems exposed on the Internet.

The information gathered via Shodan could allow attackers to identify and attack vulnerable and poorly protected systems online.

We cannon underestimate also its usefulness in the fight against botnets. This summer security experts and law enforcement used the popular search engine to shut down the Encryptor RaaS botnet used to spread ransomware.

The Encryptor RaaS botnet was offering ransomware as a service allowing wannabe criminals to create their own malware and distribute them without any specific knowledge.

This model of sale allows criminals to create the malware and rent the infrastructure to deploy it and collect the payments made by the victims. Operators behind the service maintain a fee for the service.

“Encryptor RaaS’s purveyor created a full web panel for his patrons, accessible only via the Tor network, that enabled them to manage victims’ systems. Bitcoin was the preferred transaction currency.” reads a blog post published by Trend Micro. “Compared to other ransomware such as Cerber, whose developers earn 40% in commissions, Encryptor RaaS has a more attractive proposition. Affiliates only had to dole out at least 5% of their revenue to continue distributing the ransomware.”

Encryptor was first spotted in 2015 and the experts noticed a spike in the number of victims in March 2016 when experts from Cylance spotted 1,818 victims.

“Encryptor RaaS has been around for nearly a year, since mid-2015. This piece of ransomware is available exclusively on an .onion domain on the TOR network. The ransomware author charges a 20% fee for every infected victim who pays the ransom, which is made in Bitcoin.

The Encryptor RasS numbers to date are as follows:

Total Number of Victims = 1818
Total Number of Victims Who Have Paid = 8 (0.44% of total users infected)” reads the analysis published by Cylance.

Bad actors behind the Encryptor RaaS advertise their malware as “fully undetectable” and it seems to be true according to data recently provided by NoDistribute online virus scanner (2 of 35 antivirus are able to detect the threat).

Security researchers and law enforcement have exploited the features implemented by Shodan to discover one of the servers of the Encryptor RaaS that was poorly configured and exposed to the Internet, instead of being hidden inside the Tor anonymizing network.

The authorities seized the server in June and localized other 3 machines in a few days.

“Encryptor RaaS seemed to be on a roll. Early into the investigation, however, one of its C&C servers—either abandoned by the developer or mistakenly left open to anyone on the Internet—was exposed and not anonymized by Tor. Accordingly indexed by Shodan, Encryptor RaaS was found hosting its systems on a legitimate cloud service. By late June, one of the systems was seized.” states TrendMicro.

 

 

Unfortunately, the operators behind the Encryptor RaaS have wiped the master decryption key once spotted by the law enforcement, this means that victims of the ransomware will have no solution to rescue the encrypted files.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Encryptor RaaS, Shodan)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

1 hour ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.