by RSS Roland Dela Paz  |  Nov 17, 2015  |  Filed in: Security Research

Previously, we talked about a new ransomware-as-a-service called Encryptor RaaS. Encryptor RaaS is a GNU Compiler for Java (GCJ) compiled ransomware that is available to anyone who wishes to be a spreading affiliate. The author then takes 20% commission for each ransom paid by an infected victim.

While monitoring, we noticed some updates on its website. In particular, the new version of the ransomware dated November 13, 2015, caught our attention so we decided to take a look.

Currently, the website looks as follows:

Figure 1. Updated Encryptor RaaS website

We can see some changes compared to the previous advertisement such as the new comment box and the author’s contact details ("jeiphoos").

The website currently indicates a total of 317 infections. If this is true, it means that Encryptor RaaS has started to attract affiliates. It is also worth mentioning that we have seen some forum posts from users infected by this ransomware.

The author's commission seems to have dropped to 5% as opposed to 20% previously, which may have contributed to attracting more affiliates.

But what are the updates to the binary itself?

Digital Signature

According to the website, the ransomware is now digitally signed by stolen Authenticode certificates. We have confirmed this upon downloading a demo binary from the website. Below is a screenshot of the certificate:

Figure 2. Encryptor RaaS digital signature

Persistence

The author has added some persistence mechanisms such as dropping the following autorun registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

{random} = ""{malware path and filename}" /SkipReg"

This allows the malware to execute and encrypt files every time the system restarts.  It adds the “/SkipReg” parameter to the registry which signals the malware not to re-register itself on the C&C. The malware registers itself during the first execution by uploading the affiliate ID and the affected machine’s GUID.

The malware also attempts to find the “Windows Task Manager” window periodically:

Figure 3. Code to find Task Manager window

Once found, it calls SendMessage API with the WM_CLOSE parameter to terminate the window:

Figure 4. Code to disable Task Manager

This prevents the user from terminating the ransomware process via the Task Manager.

Target File Types

The list of target file extensions has significantly increased. From 233, there are now 590 target files including backup file formats. A complete list of targeted files appears at the end of this post.

Bypassed Files

Aside from wallet.dat, the malware now avoids encrypting electrum.dat. “Electrum.dat” is a Bitcoin wallet file generated by the Bitcoin client "Electrum":

Figure 5. Code to bypass wallet.dat and electrum.dat

Of course, it also avoids encrypting its readme file “readme_liesmich_encryptor_raas.txt” which is a slightly different filename from the previous readme version. The ransomware message remained the same, still written both in English and German, although the decryptor site has now changed to 5jua3omslrbkks4c.onion.link.

Shadow Copy Deletion

Finally, the most notable update to the ransomware is that it now attempts to delete Shadow Copies. Shadow Copy is a Microsoft Windows feature that allows the operating system to back up files.

The ransomware deletes Shadow Copies by silently executing a DOS command:

Figure 6. Code to delete Shadow Copies

This routine effectively renders the user unable to recover files from Windows backup.

Who is behind Encryptor RaaS?

The TOR- and Bitcoin-based operation of Encryptor RaaS makes it hard to track the author behind this ransomware. On top of that, the author uses the dark web mail service SIGAINT to talk to clients.

We found that a thread was created in the forum evilzone.org regarding our previous Encryptor RaaS post. A user with the handle jeiphoos has replied to the thread and identified himself as the author of Encryptor RaaS. One of his replies to the thread suggests that he has been or is around many German-speaking people:

Figure 7. Forum post of jeiphoos on evilzone.org

Additionally, his forum profile shows that his local timezone is Central European Time, which is Germany's timezone. Therefore, it is possible that the author is located in Germany or in one of the countries under the CET timezone.

Conclusion

The new changes found in the Encryptor RaaS illustrate the author's determination to succeed in the RaaS business. While the author's claimed infection count is low as of the moment, the continuous development of the ransomware and the now lower commission percentage may continue to attract more affiliates.

All in all, RaaS is a serious threat. It provides a convenient platform for cyber extortion and a big headache to its victims. It is important to monitor RaaS services, along with prominent ransomware families, for developments to keep solutions relevant and customers protected.

We will continue to post information on this blog as we unfold new developments in the ransomware landscape.

-= FortiGuard Lion Team =-

Hat tip to my colleague Tien Phan for helping to create the IPS signature Encryptor.RaaS.Botnet to detect updated Encryptor RaaS C&C communication.

Related MD5 hashes:
00c4c3946ec03c915cfe4cbddffe93da - detected as W32/Cripoke.A615!tr
f84d54b351b7926106ef377b06423734 - detected as W32/Raas.TD!tr
762a96d79e747457e086e6812816b0aa - detected as W32/Raas.TD!tr

Target file extensions:

0

aspx

crypt7

h

max

ott

recipientsbackup5

ts

-1

asx

cs

h++

mb

ova

recipientsbackup6

tv

-10

aup

csproj

hbk

mbox

ovf

recipientsbackup7

tvc

-11

avi

csr

hdd

mcs

ovpn

recipientsbackup8

txt

-12

ba0

csv

hds

md2

oxps

recipientsbackup9

ucd

-13

backup

cue

hex

mdb

p

rm

ufo

-14

bak

d64

hpp

mdbackup

p12

rpb

user

-15

bas

data

hst

mddata

p2i

rtf

val

-16

bbb

db3

htc

mde

p65

s

vbk

-17

bc

dbf

ico

mdf

p7

sam

vcard

-18

bc!

dbt

ics

mdi

pages

sav

vcd

-19

bdb

dbx

idml

mdinfo

pbi

sb

vcf

-2

bde

dds

idx

mds

pct

sbf

vdi

-3

bdf

ddz

if

mdw

pdf

scv

vfs4

-4

bdg

dem

iff

mdx

pdfx

sdc

vhd

-5

bdi

deviceids

imb

mid

pehape

sdi

vhdx

-6

bdk

df

img

mkv

pem

sds

vir

-7

bdl

dfd

imh

mmf

pfq

sdx

vmc

-8

bdm

dfproj

iml

mnu

pfx

sdy

vmdk

-9

bdmv

dia

imm

mobileprovision

pgp

secure

vob

0

bdsproj

dir

in0

mod

php

seed

vsd

0

bdw

diz

indd

mon

php3

sel

vsv

1

bdx

dmg

ini2

mov

php4

seq

wab

2

bee

doc

int

mp3

php5

set

wallet

3

ben

docm

ipd

mp4

phps

sfs

war

4

bes

docx

iso

mpa

phpx

sfv

wav

5

bex

dot

isz

mpb

phpxx

shs

wbk

6

bexpk

dqy

iwa

mpeg

phtm

skb

wbverify

7

bf

dsb

j2k

mpg

phtml

skd

wc

8

bf2

dsn

jad

mpj

pid

skp

webarchive

9

bfa

dta

jar

mpp

pins

slf

webm

1

bfb

dtr

java

mq4

pk

sln

whtt

10

bfe

dtv

jdb

mqh

pl

sme

wim

11

bff

dwg

jks

ms

plist

smk

win

12

bgz

dxf

jmf

msf

pmd

smm

wlt

13

bhx

ebk

jp2

msg

pmk

smp

wma

14

bib

eddx

jpeg

mso

pmx

smr

wmb

15

bibtex

edoc

jpf

mta

pnf

sms

wmv

16

bik

elfo

jpg

mts

png

spb

workflow

17

bkf

eml

jpm

mus

ppdf

spi

wpb

18

bkp

emlx

jpx

myd

pps

spro

wps

19

bks

enc

json

myf

ppsm

sql

wsb

2

bkup

eps

jsp

myi

ppsx

srp

xdw

2fs

bmp

epub

jspa

nam

ppt

srt

xed

3

bpn

es

jspx

nap

pptm

srv

xg0

3dm

bson

es~

jst

nba

pptx

ssc

xg1

3ds

btd

ex4

k1f

nbf

pref

ssi

xg2

3g2

bz2

exp

kb1

nbi

prn

sss

xlg

3gp

c

fdb

kcf

nbu

prt

stf

xlk

4

c++

fdf

kch

nbz

ps

stg

xlr

5

cad

ff1

kcl

nco

psd

stl

xls

6

cadp

ffs_db

kdb

nes

pspimage

stw

xlsb

7

caf

ffu

kdbx

net

pst

sub

xlsm

7z

cbu

fh10

key

new

ptn

suo

xlsx

8

cc

fh11

keynote

nfo

ptn2

svg

xlt

9

cda

fi2

kml

nng

pub

swf

xlw

aac

cdf

fig

kmz

note

pvm

sxw

xsn

abbu

cdi

fil

knt

nr

pwd

symbolmap

xz

abw

cdr

flac

kpr

nrg

px

syncdb

yg0

accdb

cdx

flg

lbl

nri

py

tag

yg1

adr

cer

flp

ld

nru

qcn

tar

yg2

ahk

cert

flv

ldif

ns

qcow

tav

yuv

ai

cfc

fmd

lib

nzb

qcow2

tb3

z

aif

cfg

fpt

lic

oa4

qt

tc

zip

alt

cfm

ftp

lis

oac

qxp

tdl

zipx

ape

cgi

gam

lpd

odb

ra

tex

 

apk

chr

gar

ls

odc

rar

tga

 

arc

class

gcode

ltx

ods

raw

thm

 

arv

cnt

gho

lwp

odt

rdp

tib

 

as

cod

gid

lyc

ogg

recipients

tif

 

asc

conf

gif

lyt

old

recipientsbackup0

tiff

 

asf

cpio

gla

lzma

ops

recipientsbackup1

tlx

 

ashdisc

cpp

gpg

m3u

opt

recipientsbackup2

toast

 

asm

crd

gpx

m4a

or4

recipientsbackup3

torrent

 

asp

crt

gz

m4v

org

recipientsbackup4

tpl

 

 

 

by RSS Roland Dela Paz  |  Nov 17, 2015  |  Filed in: Security Research