The Fallout Exploit Kit is now spreading the notorious Kraken Cryptor Ransomware

The Fallout Exploit Kit is now spreading the notorious Kraken Cryptor Ransomware

• Kraken Cryptor generally gets delivered when potential users visit a compromised website.
• The ransomware author demands Bitcoin payments in exchange for unencrypting the victims’ encrypted files.

The popular Fallout exploit kit (EK), which recently gained notoriety for distributing the GandCrab ransomware, is now switching its attention to distributing the Kraken Cryptor ransomware.

Kraken Cryptor appeared in the Ransomware as a Service (RaaS) arena and is now being actively distributed in the wild by multiple sources. Adding to this network, now researchers observed the ransomware being distributed by the Fallout EK.

Activities of the Kraken Cryptor Ransomware were first discovered and reported by the MalwareHunter team in mid-September. According to reports, the malware actors were able to obtain access to the superantispyware.com site, and market the ransomware from there.

The attackers disguised the Kraken Cryptor ransomware as the legitimate SuperAntiSpyware anti-malware program to trick users into installing it onto their systems.

"Our plan that replace original file with our ransomware file. Not sure about other kids but we do this for more fun and little money,” the attackers told Bleeping Computer.

Ransomware Analysis

Security researcher nao_sec examined the exploit kit and shared exclusive details about the ransomware to Bleeping Computer. According to the report, the Fallout began distributing the Kraken Cryptor ransomware (version 1.5) earlier this week. The ransomware came with a with a comment that read “EK Edition” on the ransomware’s configuration. But the latest research shows that the comment has been removed and an updated to version (1.6) of the ransomware is now available.

Delivery and Exploit

Kraken Cryptor generally gets delivered when a potential user visits a compromised website. However, the user is redirected to various gateways before landing on the page that typically deploys the exploit kit to the victim's computer.

After it gets installed on the computer, Kraken Cryptor encrypts system files with a random file name and random extensions. For instance, an encrypted file could contain the following filename and extension:- AaPeTejeKzqJZWlb.OCYAV.

The ransomware also creates a ransom note titled “How to Decrypt Files-[extension].html” inside every encrypted folder. The ransom note contains the procedure victims are required to follow to decrypt files. Instructions on how to contact the attacker at onionhelp@memeware.net or BM-2cWdhn4f5UyMvruDBGs5bK77NsCFALMJkR@bitmessage.ch are also provided.

The ransomware author has been demanding 0.256 Bitcoins in exchange for file decryption. The ransom note also includes guided links to learn about Bitcoins. The ransomware authors also provide instructions on how to buy bitcoins from a list of suggested websites.

Security researchers recommend users install the latest security updates in their operating systems. This can help prevent exploit kits from using vulnerabilities to infect your computer. However, in order to protect against any ransomware attack, it is important that users follow good computing habits and use security tools.