The fall of the Encryptor RaaS also thanks to Shodan

Law enforcement and security experts have dismantled the Encryptor RaaS architecture by localizing one of its servers with Shodan.

Shodan is a search engine for internet-connected devices, it is a precious instrument for IT experts and hackers that use it to find assess systems exposed on the Internet.

The information gathered via Shodan could allow attackers to identify and attack vulnerable and poorly protected systems online.

We cannon underestimate also its usefulness in the fight against botnets. This summer security experts and law enforcement used the popular search engine to shut down the Encryptor RaaS botnet used to spread ransomware.

The Encryptor RaaS botnet was offering ransomware as a service allowing wannabe criminals to create their own malware and distribute them without any specific knowledge.

This model of sale allows criminals to create the malware and rent the infrastructure to deploy it and collect the payments made by the victims. Operators behind the service maintain a fee for the service.

“Encryptor RaaS’s purveyor created a full web panel for his patrons, accessible only via the Tor network, that enabled them to manage victims’ systems. Bitcoin was the preferred transaction currency.” reads a blog post published by Trend Micro. “Compared to other ransomware such as Cerber, whose developers earn 40% in commissions, Encryptor RaaS has a more attractive proposition. Affiliates only had to dole out at least 5% of their revenue to continue distributing the ransomware.”

Encryptor was first spotted in 2015 and the experts noticed a spike in the number of victims in March 2016 when experts from Cylance spotted 1,818 victims.

“Encryptor RaaS has been around for nearly a year, since mid-2015. This piece of ransomware is available exclusively on an .onion domain on the TOR network. The ransomware author charges a 20% fee for every infected victim who pays the ransom, which is made in Bitcoin.

The Encryptor RasS numbers to date are as follows:

Total Number of Victims = 1818
Total Number of Victims Who Have Paid = 8 (0.44% of total users infected)” reads the analysis published by Cylance.

Bad actors behind the Encryptor RaaS advertise their malware as “fully undetectable” and it seems to be true according to data recently provided by NoDistribute online virus scanner (2 of 35 antivirus are able to detect the threat).

Security researchers and law enforcement have exploited the features implemented by Shodan to discover one of the servers of the Encryptor RaaS that was poorly configured and exposed to the Internet, instead of being hidden inside the Tor anonymizing network.

The authorities seized the server in June and localized other 3 machines in a few days.

“Encryptor RaaS seemed to be on a roll. Early into the investigation, however, one of its C&C servers—either abandoned by the developer or mistakenly left open to anyone on the Internet—was exposed and not anonymized by Tor. Accordingly indexed by Shodan, Encryptor RaaS was found hosting its systems on a legitimate cloud service. By late June, one of the systems was seized.” states TrendMicro.

 

 

Unfortunately, the operators behind the Encryptor RaaS have wiped the master decryption key once spotted by the law enforcement, this means that victims of the ransomware will have no solution to rescue the encrypted files.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Encryptor RaaS, Shodan)