Threat Management, Data Security, Encryption, Incident Response, Malware, Ransomware, TDR

Curtain closes on Ransomware Encryptor RaaS, but with master key

Those victims targeted over the past year by the ransomware as a service (RaaS) named Encryptor RaaS may be at a loss to ever recover their encrypted files, according to a report from Trend Micro.

That is owing to the fact that after operating for a year the service has shuttered. That's the good news, Trend Micro researchers said. The bad news, however, is the developers behind the malware have taken with them into oblivion the master key. The one that would allow those victimized by the RaaS to recover their files.

The ransomware, first detected in July 2015, at the time seemed to be set to rival such competitors as Tox and ORX Locker, arriving with multiplatform capabilities, customization options and an appealing price that was said to make it a good entry point for miscreants attracted to the dark side. In fact, the install was so easy, Trend Micro said, that all a client needed to do was set up a Bitcoin Wallet ID. Downloaded from the Tor network, buyers of the ransomware were required to shell out five percent of revenue rather than the 40 percent required by rival service Cerber, for example.

Researchers at Trend Micro detected as late as March 2016 that the developers of the ransomware were still actively tweaking its capabilities to render it undetectable, including signing the ransomware with legitimate certificates and employing counter-AV services and crypters.

With its infrastructure hidden away on the Tor network, to market the ransomware the developer went so far as to offer a file-signing service for his clients, promising stolen Authenticodes that allowed him to sign Encryptor RaaS samples at no cost.

"Four months after, however, the service abruptly closed up shop," the researchers wrote.

The fall may have been the result of detection after a C&C server was exposed and its systems detected on a valid cloud service. After a few sputters and attempts to relaunch, it was shut down completely. As of early April 2016, the Trend Micro researchers observed the affiliate chat forum exploding with animosity between the developer and clients dissatisfied with the shutdown.

The curtain closed on July 5, 2016, with the developer, who goes by the handle “jeiphoos,” alerting victims that they can no longer recover their files, as he deleted the master key, Trend Micro reported.

"The story here is one of how much the crimeware market mirrors legitimate software," Christopher Budd, global threat communications manager at Trend Micro, told SCMagazine on Thursday. "Here you have a startup that undercut the competition, was successful for a short period and then went bust and disappeared."

Budd added that the ultimate losers in this particular case are the targeted victims, since with the decryption key lost, this service's "customers" are left without the ability to recover the files that the ransomware rendered unreadable. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.