Kraken Cryptor 1.5 disguised as SuperAntiSpyware executable

Kraken Cryptor ransomware uses the name of an anti-malware program to trick users into installing it

Kraken Cryptor ransomware newest version Kraken Cryptor 1.5 distributed malicious executable via official SuperAntiSpyware website. Kraken Cryptor ransomware 1.5 is the newest version of the Kraken crypto family that was released in August 2018. However, the most impressive fact related to it is how did the attackers have been distributing it. It seems that the main way used to infect users with Kraken Cryptor 1.5 was the official website of SuperAntiSpyware which was hacked and then infected with the malicious executable file.

According to cybersecurity researchers, while trying to trick users into downloading the virus, the legitimate file was changed by the almost identical ransomware installer. The only difference between these exe files was additional “s” letter added at the end of the file name.[1] While the original name is known as called SUPERAntiSpyware.exe, the malevolent executable was named as SUPERAntiSpywares.exe. Even the icon of the file was the same.

Fortunately, the original data was not compromised in any way, and the original executable installed the legitimate anti-malware, as it was supposed to. So, users who installed the software from standard download links got the secure version and nothing more. Additionally, the malicious file is no longer spread on the official site.

SuperAntiSpyware reply on this unpleasant discovery:

A malicious file was uploaded to the SUPERAntiSpyware download server as a result of an attempted attack on the server. The malicious file was discovered and removed from the server within several hours of the attempt. The server has since been thoroughly scanned and the vulnerability has been corrected.

The functionality of Kraken Cryptor 1.5 ransomware attack

The latest version of Kraken Cryptor ransomware[2] works similar to other cryptocurrency-demanding threats. When executed, this virus performs a variety of actions helping it encrypt files on the system. The ransomware attack starts when the virus creates a Safe.exe file which, once launched, checks the language and location of the victim's device. If the victim is from Armenia, Azerbaijan, Belarus, Estonia, Georgia, Iran, Kyrgyzstan, Kazakhstan, Lithuania, Latvia, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan or Brazil, encryption is not started.

After the system is scanned, the virus chooses various data from photos, videos, archives, documents, and encrypts them using AES-128[3] encryption algorithm. These encoded files are marked by using the 00000000-Lock.onion pattern. When the data is encrypted, it becomes unreachable. Unfortunately, this virus is still not decryptable.

Other features of the Kraken Cryptor 1.5 ransomware:

  • ransom note called “# How to Decrypt Files.txt” placed in every folder on the system that contains encrypted data;
  • ransom amount is 0.125 Bitcoin[4];
  • a message displayed in the ransom message contains instructions on how to make this payment and a unique identification key developed for each victim after the encryption process;
  • contact email for the crooks behind this virus is

Ransomware distribution ways

There is no information on how exactly Kraken Cryptor 1.5 spreads besides the SuperAntiSpywares.exe file. However, typical ransomware and previous versions of this particular cyber threat have been spread via spam email campaigns. Various social engineering[5] techniques can be used to spread malware as well.

The most common way is to spread direct malicious script on the device by using infected MS Word or Excel documents disguised as essential documents from a legitimate company or service. The minute user opens the infected file, ransomware script loads on the system.

About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions