Ransomware is a pernicious cyber threat. However, with malware encryption, it becomes extraordinarily vicious.
Two Romanians have been arrested by Europol for allegedly running malware crypting services - CyberSeal and Dataprotector. The Cyberscan service was used alongside this to bypass antivirus software detection. These services have been sold to 1,560 criminals used to crypt several malware, such as ransomware, RATs, and information stealers.
Nuts and bolts
- The crypters hide or encrypt the primary code in malicious software until it is installed on the victim’s system.
- Dataprotector and CyberSeal encrypted and hid malware inside legitimate code to appear harmless to antivirus software. Post-installation, the encrypted malware would decrypt and further install RATs, ransomware, and infostealers.
- The price of the services ranged between $40 and $300, based on the license conditions.
- Moreover, a counter antivirus platform was provided to the clients to test the malware samples against antivirus software.
What does this imply?
- Apart from encrypting the malware, they fill the malware with junk code, much to the frustration of analysts.
- Sometimes, the capabilities of the crypter can be extended to allow for process injection, disable task manager, use pop-ups to enable execution to avert user account control, and use anti-analysis tricks to impede virtual machines and debuggers.
- Other crypters, such as Saddam’s Crypter, allow clients to deploy additional malware.
The bottom line
The encryption as a service market has boomed in the past six months and has shown signs of stopping any time soon with threat actors offering updated and new strains of crypters. Thus, experts suggest implementing incident response and detection controls to keep such threats at arm’s length.