Waning: New Family Member for KrakenCryptor Ransomware

02/11/2018 17:38:46
Sample Introduction
In a recent global scan and analyzation of potential new and dangerous threats, Sangfor security team discovered a new variant in the KrakenCryptor ransomware family. Dubbed KrakenCryptor 2.0.7 and first discovered around October 22nd, a number of Sangfor customers ran an analysis using our new Neural-X security software and discovered that this latest KrakenCryptor ransomware variant employs an RSA and AES algorithm to encrypt files, followed by the addition of a random extension.

In-Depth Analysis
1.The sample is coded with .NET framework and obfuscated, as shown in the figure below:

Figure 1

Figure 2: Sample Obfuscation

2. Sangfor de-obfuscated the sample and found it to be similar to typical ransomware, setting a time limit for victims to pay a predetermined ransom amount and demanding further payments if the ransom is not received within one week. Shown below is a countdown timer that is not visible on the graphical interface, showing the predetermined schedule of cost increases every calendar week.

Figure 3: Deadline Countdown

3. First, the sample decrypts the encrypted information including family, version, technical support email address, etc.

Figure 4: Family Version

Figure 5: Encryption Key Length

KrakenCryptor ransomware supports encryption with up to 422 file extensions. The following figure shows a small sample of potential file extensions:

Figure 6: Supported File Extensions

4. IP addresses of compromised hosts are located.

Figure 7:Collection of IP Address Geographic Location

5. Information including system version, MAC address and local drive information of compromised hosts is collected and an RSA and AES key is generated.

Figure 8: Generation of Encryption Key

6. Compromised hosts from specific countries are not encrypted according to the default Input Method Editor (IME).

Figure 9: Determination of Default IME

Figure 10: Exempted IMEs

Files using system languages specific to Armenia, Azerbaijan, Belarus, Estonia, Georgia, Iran, Kyrgyzstan, Lithuania, Moldova, Russia, Tajikistan, Ukraine, Uzbekistan, Turkmenistan, Syria, Latvia and Kazakhstan are not encrypted.

Figure 11: Exempted Countries

7. Create a Wordload key in the encryption log registry. If the Wordload value is 1, the encryption will be canceled.

Figure 12

Figure 13

8. The countries listed above are exempt from attack, but all others are in danger of encryption. The virus sends its own IP address to https://2no.co/2SVJa5 (shortened URL) or https://www.bleepingcomputer.com/ (complete URL). Bleepingcomputer.com is a site providing security technology and information.

Figure 14: Visit Bleepingcomputer.com Site

9. A 256-bit AES encryption algorithm with CBC code mode is used to encrypt files.

Figure 15

10. Original files are overwritten and renamed.

Figure 16: Encryption and Overwrite of Files

Figure 17: Encrypted Files are Renamed

11.The ransomware deletes itself after encryption.

Figure 18

12. Desktop wallpaper is changed and ransom message is displayed.

Figure 19

Currently there is no decryption tool available for victims. You should quarantine infected hosts and disconnect them from network.

Sangfor recommends you perform a virus scan and set protections as soon as possible.

Detection and Removal
1. Sangfor offers customers and users free anti-malware software to scan for and remove the ransomware virus. Simply download it from http://go.sangfor.com/anti-bot-tool-20181024
2. Sangfor NGA is capable of detecting this ransomware virus.

1. Fix the vulnerability before infection by installing the corresponding patch on the host.
2. Back up critical data files regularly to other hosts or storage devices.
3. Do not click on any email attachment from unknown sources and not download any software from untrusted websites.
4. Disable unnecessary file sharing permissions.

For Sangfor NGAF users, upgrade your device to version 8.0.5 and enable AI-based Sangfor Engine Zero to protect the network from attacks.

Perform security scan and virus removal on the whole network to enhance network security. We recommend Sangfor Security Intelligence, NGAF and EDR to perform security scans, virus removal and provide protection to your entire network.

Our Social Networks

Global Service Center: