Kraken ransomware 2.0 is available through the RaaS model

Pierluigi Paganini November 04, 2018

The author of the infamous Kraken ransomware has released a new version of the malicious code and launched a RaaS distribution program on the Dark Web.

Researchers from Recorded Future’s Insikt Group and McAfee’s Advanced Threat Research team have discovered a new version of the malware that is offered through a RaaS distribution program on the Dark Web.

The new Kraken v.2 version is being advertised on an underground forum and is available through a ransomware-as-a-service (RaaS) model. With just $50 it is possible to join the affiliate program as a trusted partner and received a new improved build of the Kraken ransomware every 15 days. Affiliates receive 80 percent of the paid ransom and operators offer a 24/7 support service.

“The McAfee Advanced Threat Research team, working with the Insikt group from Recorded Future, found evidence of the Kraken authors asking the Fallout team to be added to the Exploit Kit. With this partnership, Kraken now has an additional malware delivery method for its criminal customers.”  reads a post published by McAfee.

“We also found that the user associated with Kraken ransomware, ThisWasKraken, has a paid account. Paid accounts are not uncommon on underground forums, but usually malware developers who offer services such as ransomware are highly trusted members and are vetted by other high-level forum members. Members with paid accounts are generally distrusted by the community.”

Kraken Cryptor is a ransomware-as-a-service (RaaS) affiliate program that first appeared in the cybercrime underground on August 16, 2018, it was advertised in a top-tier Russian-speaking cybercriminal forum by the threat actor ThisWasKraken.

At the end of September, the security researcher nao_sec discovered that the Fallout Exploit Kit (the same used to distribute GandCrab ransomware)  started to deliver the Kraken ransomware.

Kraken ransomware

After the victim pays the full ransom, the affiliate member sends 20 percent of the received payment to the RaaS to receive a decryptor key by the ThisWasKraken and forward on to the victim.

Like other threats, the Kraken Cryptor RaaS does not allow the infect users of a number of former Soviet bloc countries.

“In addition to the countries listed above, the latest samples of Kraken that have been identified in the wild no longer affect victims in Syria, Brazil, and Iran, suggesting that ThisWasKraken (or their associates) may have some connection to Brazil and Iran, though this is not confirmed. It is likely that Syria was added following the plea for help from a victim whose computer was infected by another ransomware called GandCrab.” reads the analysis published by Recorded Future.

Insikt Group experts noticed that RaaS operators don’t allow affiliates to submit Kraken sample files to antivirus services and don’t provides refunds for purchased payloads.

Below a map showing the distribution of victims that was released by the authors of the Kraken ransomware.

Kraken ransomware raas distribution

It has already infected 620 victims worldwide since August, but experts pointed out that the first real campaign only started last month, when attackers were masquerading the threat as a security solution on the website SuperAntiSpyware.

Experts highlighted that RaaS and affiliate programs are growing in the cybercrime underground attracting a growing number of wannabe criminals.

Further details, including IoCs are reported in the analysis published by both companies (Recorded Future and McAfee).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – RaaS, Kraken ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment