Kraken ransomware 2.0 is available through the RaaS model
iSpeech.org
The author of the infamous Kraken ransomware has released a new version of the malicious code and launched a RaaS distribution program on theĀ Dark Web.
Researchers fromĀ Recorded Futureās Insikt Group andĀ McAfeeās Advanced Threat Research team have discoveredĀ a new version of the malware that is offered through a RaaS distribution program on theĀ Dark Web.
The new Kraken v.2 version is being advertised on an underground forum and is available through aĀ ransomware-as-a-serviceĀ (RaaS) model. With just $50 it is possible to join the affiliate program as a trusted partner and received a new improved build of the Kraken ransomware every 15 days. Affiliates receive 80 percent of the paid ransom and operators offer a 24/7 support service.
āThe McAfee Advanced Threat Research team, working with the Insikt group from Recorded Future, found evidence of the Kraken authors asking the Fallout team to be added to the Exploit Kit. With this partnership, Kraken now has an additional malware delivery method for its criminal customers.āĀ reads aĀ postĀ published by McAfee.
āWe also found that the user associated with Kraken ransomware, ThisWasKraken, has a paid account. Paid accounts are not uncommon on underground forums, butĀ usuallyĀ malware developers who offer services such as ransomware are highly trusted members and are vetted by other high-level forum members. Members with paid accounts are generally distrusted by the community.ā
[adsense size='1' ]
Kraken Cryptor is a ransomware-as-a-service (RaaS) affiliate program that first appeared in the cybercrime underground on August 16, 2018, it was advertised in a top-tier Russian-speaking cybercriminal forum by the threat actor ThisWasKraken.
At the end of September, the security researcherĀ nao_secĀ discovered that the Fallout Exploit Kit (the same used to distributeĀ GandCrab ransomware)Ā started to deliver the Kraken ransomware.
After the victim pays the full ransom, the affiliate member sends 20 percent of the received payment to the RaaS to receive a decryptor key by the ThisWasKraken and forward on to the victim.
Like other threats,Ā the Kraken Cryptor RaaS does not allow the infect users of a number of former Soviet bloc countries.
āIn addition to the countries listed above, the latest samples of Kraken that have been identified in the wild no longer affect victims in Syria, Brazil, and Iran, suggesting that ThisWasKraken (or their associates) may have some connection toĀ BrazilĀ andĀ Iran, though this is not confirmed. It is likely that Syria was added following the plea for help from a victim whose computer was infected by another ransomware called GandCrab.ā reads theĀ analysisĀ published by Recorded Future.
Insikt Group experts noticed that RaaS operators donāt allow affiliates to submit Kraken sample files to antivirus services and donāt provides refunds for purchased payloads.
BelowĀ a map showing the distribution of victims that was released by the authors of the Kraken ransomware.
It has already infected 620 victims worldwide since August, but experts pointed out that the first real campaign only started last month, when attackersĀ were masqueradingĀ the threat as a security solution on the website SuperAntiSpyware.
Experts highlighted that RaaS and affiliate programs are growing in the cybercrime underground attracting a growing number of wannabe criminals.
Further details, including IoCs are reported in the analysis published by both companies (Recorded FutureĀ andĀ McAfee).
Tagged with: available ā¢ kraken ā¢ kraken ā¢ kraken ā¢ kraken ā¢ model ā¢ ransomware ā¢ through
Gloss