Kraken Cryptor — a dangerous RaaS that has been involved in numerous attacks in October 2018

Kraken Cryptor is a ransomware virus[1] that first emerged in August 2018. It uses several different encryption algorithms (AES-128/256, Salsa20, RC4, and RSA) to encode data and modifies files in the following way: [chronological_number]-Lock.onion. To retrieve data, victims are prompted to contact cybercriminals via onionhelp@memeware.net after paying 0.25 BTC. All this information is presented in a ransom note called How to Decrypt files.txt which is sent to victims via the remote server. Initially, Kraken Cryptor virus used spam emails and other typical techniques for distribution. However, in October, researchers discovered that the malwa is relying on Fallout exploit kit. The latest version is Kraken Cryptor 2.0.7 which is using the wallpaper that imitates Cerber and GandCrab.
| Name | Kraken Cryptor |
|---|---|
| versions |
|
| Appendix | .%8 numbers%-Lock.onion; random extension; 5 A-Z 0-9 file extension; .JLQUF |
| Ransom message | How to Decrypt Files.txt; Instructions-{suffix}.txt; # How to Decrypt Files.html; Instructions.txt |
| Ransom type | 0.075BTC; 0.25 BTC, 0.125 BTC |
| Purpose | To encrypt files and demand a ransom in exchange for a decryption tool |
| Distribution | Spreads through spam emails, P2P networks, using Fallout EK, RIG exploit kit |
| Prevent it | Use antivirus protection, do not open suspicious email attachments |
| Removal process | Get rid of the ransomware infection with FortectIntego |
Malware Hunter Team noticed that Kraken Cryptor 1.2 authors left an interesting comment in malware's code. It contained the following: “When the researchers' party hard, our parties harder!”. While it seems like hackers have some sense of humor, the Kraken Cryptor virus infection is not a joke for the victims, as encoded files cannot be decrypted.
You can also recognize this virus from other signs such as:
- Files are encrypted with the .%8 numbers%-Lock.onion extension;
- A ransom note named How to Decrypt Files.txt has been displayed;
- Dubious registry entries have been created in the Windows Registry.
Here is how the ransom message begins:
– ALL YOUR FILES HAS BEEN ENCRYPTED BY “KRAKEN CRYPTOR”!
– READ THIS GUIDE BELOW TO RECOVERY YOUR FILES!
E-Mail : onionhelp@memeware.net
Alternative : BM-2cWdhn4f5UyMvruDBGs5bK77NsCFALMJkR@bitmessage.ch
<…>
Hackers use AES-128/256 cipher to encrypt personal files. To decrypt them, victims need to obtain a key which is generated for each person individually; hence cannot be used for different machines. The decryptor is stored on a remote C2 server which is only accessible to Kraken Cryptor 1.2 developers.

However, do not rush to contact the criminals, as these people can not be trusted. If you did not prepare a backup before Kraken Cryptor struck, you could try using another option for file decryption. Look for our offered third-party software which you can find below this article.
Nevertheless, ransomware-type viruses may weaken the computer's security levels and clean the way for other infections. This is one of the main reasons why you need to remove Kraken Cryptor virus from your computer as soon as you spot first symptoms. For that, we suggest using FortectIntego or any other trustworthy anti-malware tool of your liking.
Kraken Cryptor removal should be performed before the file recovery because all the data will be encrypted again. Important: do not connect your external drive to the PC before the virus is eliminated!
Fallout EK is becoming more popular among ransomware distributors
As Kraken Cryptor uses RaaS[2] business model, many different associates take on its distribution. For example, Kraken Cryptor 1.5 was delivered with the help of a fake SuperAntiSpyware executable, implanted directly into the official website of the program.[3]
Now, researchers noticed that Kraken Cryptor virus 1.5, and a bit later – 1.6, has been distributed with the help of the relatively new Fallout exploit kit. Bad actors compromise several websites which then redirect victims to a domain that hosts Fallout exploit kit. It then tries to abuse the VBScript vulnerability to install malware on the susceptible machine.

Once delivered, Kraken Cryptor 1.6 will encode data using a random file name and arbitrary file extension and also will download SDelete, which replaces all spaces which are empty with zeros, complicating the file recovery procedure.
Fallout EK was first discovered in August 2018 and is gaining more popularity among hackers. Experts are convinced that, after distributing GandCrab v5 and Kraken Cryptor 1.6, the exploit kit will be delivering other malicious payloads in the future.
Known variants of Kraken Cryptor
Kraken Cryptor 1.2
Hackers have been using the AES-128/256 encryption algorithm to lock your data and a ransom note named How to Decrypt Files.txt in which the message about the attack is displayed. However, the only information in the note is onionhelp@memeware.net contact email and the Bitcoin wallet in which the ransom payment should be transferred. Encrypted files are marked with .%8 numbers%-Lock.onion extension to each file. The ransom amount for this cryptovirus is 0.25 BTC.
Kraken Cryptor 1.3
Like the previous version, this variant uses the same Kraken mutex and the message “When the researchers party hard, our parties harder!.” It came immediately after the discovery of the second version of the ransomware. The payment is reduced to 0.125BTC if compared with other threats. It is believed that this version is distributed using the exploit kits and other vulnerabilities.
Kraken Cryptor 1.5
Kraken Cryptor 1.5 was distributed using the fake SuperAntiSpyware executable which was placed directly on the official website of this program. Released in August of 2018, it landed on the system unnoticeably because the only difference between the malicious file and the safe one was S at the end -SUPERAntiSpywares.exe. Cybercriminals even used the icon of the original file. It also used random file names and extensions. Ransom note for this version called # How to Decrypt Files.html.
Kraken Cryptor 1.6
In October 2018, researchers discovered this version of Kraken Cryptor that uses Fallout exploit kit to spread around. It also encrypts data using the sophisticated method and adds random file extensions and a randomly named ransom note. Also, while distributing this particular version, hackers try to abuse VBScript vulnerability to install the malicious payload.
Kraken Cryptor 2.0
This variant of ransomware virus displays and empty windows containing numerous buttons as Send Payment, Request Free Decryption. When this version of ransomware was discovered analysts stated that it looks as being in development still. When one of those buttons gets pressed, another pop-up window opens which allows users to request free decryption. Hospitals, software development studios encounter this function. Regular people suggested paying $50 in various gift cards. The payment method is rather unusual for crypto-demanding ransomware type virus. Therefore, this ransomware looked like a test version.
Kraken Cryptor 2.0.4
This variant was exposed by MalwareHunterTeam on Twitter on October 19th as the strange version of ransomware which sends statistics to a server using TOR browser (kraken656kn6wyyx[.]onion). The ransomware uses ransom letters for the file extension and nikolatesla@cock.li contact email that is used for other versions too. There is not much information about the particular version because if affected fewer victims and haven't displayed a proper ransom note for them. Soon after this variant came the other one.
Kraken Cryptor 2.0.5
This version was spotted in late October of 2018. Once the malware infects the system, encrypted data gets .JLQUF or any other appendix consisting of random characters. Also, the virus drops Instructions.txt ransom note containing information about the recent events. The message states about 0.075BTC ransom amount and suggests contacting hackers via nikolatesla@cock.li email address.
Kraken Cryptor 2.0.6
One of the latest versions of Kraken Cryptor was discovered on the last weekend of October. The virus has already affected more than 200 victims since the 20th of October. BleepingComputer were the first ones who reported about this variant because hackers have been connecting to their site during the encryption process.[4] According to experts nao_sec and Kafeine, malware is distributed using RIG exploit kit. Instead of connecting or redirecting to google, it connects to BleepingComputer and uses URL that belongs to IPlogger.com. The website allows users to create shorter URLs and track statistics. (https://2no.co/2SVJa5 address) This connection allows BleepingComputer to track victims.
Kraken Cryptor 2.0.7
A few days after the first discovery of the previous version, 2.0.7 version was out. It uses wallpaper similar to Cerber or GandCrab and uses random 5 A-Z 0-9 file extension to mark encrypted files. Also, this version adds Instructions-{suffix}.txt ransom note name pattern to the mix. It is distributed as typical ransomware using spam email attachments disguised as financial information documents. The ransom amount for this version at the time of writing was $300. That is equivalent to about 0.054 BTC.

Prevent ransomware infections by being attentive online
According to IT experts, users infect their computers with ransomware through suspicious email messages. Such spam is dropped straight to a victim's email inbox. The phishing email comes with a suspicious attachment or a cleverly hidden hyperlink. While some emails might look legitimate, do not get tricked by it. Ignore it and never open any attachments or click on links inside.
Additionally, you can get a ransomware infection from peer-to-peer networks[5] and file-sharing sites. These types of websites lack protection and are more likely to be hacked by criminals who can inject their malicious code using JavaScript or other methods. Do not forget that anti-virus software is one of the most important security measures and should not be neglected.
As mentioned above, the virus also started using Fallout EK, that abuses CVE-2018-8174 VBScript vulnerability, so patching all your software is mandatory in order to avoid malware attacks.
Make sure you get rid of Kraken Cryptor and all virus-related components
Even though manual elimination is not quite possible for this case, you can perform the Kraken Cryptor removal by downloading and installing a professional anti-malware tool. We suggest using FortectIntego, SpyHunterCombo Cleaner, or MalwarebytesMalwarebytes. Choose the program that suits you the most.
You need to remove Kraken Cryptor virus and get rid of all components that were injected while the malware was active. After you perform the automatic elimination, you can attempt to get your files back either via the backup or by using third-party software.
LesVirus.fr experts[6] recommend taking some precautionary measures for the future. Most importantly, you need to take care of valuable documents. It is advisable to store them on an external device such as a USB flash drive or iCloud.
Was this guide helpful?
Be the first to comment