The Kraken ransomware is one of the latest virus threats that are being used by hacker groups against victims worldwide. It appears that the majority of them are caused through the Fallout Exploit Kit which was previously used for GandCrab virus attacks. Our article sums up the known information so far.
Fallout Exploit Kit Delivers Kraken Ransomware Files
The Kraken ransomware has become a recent example of a malicious threat that is constantly updated with new features. The fact that it has been adopted by various hackers and is spread around the hacker underground forums makes it a very dangerous threat to consider. In September security experts discovered that hackers have used the Fallout Exploit Kit to spread the ransomware files. This is the same framework which was used to launch the last versions of GandCrab. A new security report reads that the original Kraken virus developers have reached out to the Fallout kit asking for their threat to be added to the framework. This partnership has resulted in the creation of another successful delivery method.
Following the interactions in the underground forums we read that the ransomware announcements are made in Russian. This leads the expert to believe that the developers may be from a Russian-speaking country. As an effect the Kraken ransomware and especially its later strains can now be categorized as RaaS (ransomware-as-a-service).
This has lead to the creation of Kraken ransomware affiliates — individual hacking collectives or malicious actors that use the provided payloads. A percentage of the income will be shared with the RaaS team in exchange for updates. A distinct characteristic of this scheme is that the profit percentage allocated to the developers has been decreased between two of the major releases. This is done in order to attract more affiliates to the scheme. There are certain entry conditions that potential affiliates must meet: a specific form and a $50 payment.
According to the Kraken ransomware description the malware can be used against computer victims from the following countries:
Armenia, Azerbaijan, Belarus, Estonia, Georgia, Iran, Kazakhstan, Kyrgyzstan, Latvia, Lithuania,
Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan
On October 21 a second version of Kraken was released which showed that the geographical distribution is considerably expanded.
Kraken Ransomware Analysis: Distinct Characteristics of Infection
Upon delivery of the ransomware threat the built-in behavior patterns will be started as quickly as possible. One of the detected versions has been found to use a tool from a commercial system utility to effectively wipe both system and user data which makes file recovery significantly harder. An additional measure taken into account by the developers is an UAC (User Account Control) bypass which can automatically overcome certain security measures taken by the operating system. The main infection engine can also hide itself from security software by evading the common behavior, this practically bypasses the usual signatures scan.
Other actions include Windows Registry modifications that may alter both the strings belonging to the operating system and any installed applications. This can cause severe performance issues. In addition the Kraken ransomware releases have been found to disable access to the boot recovery menu. Infected devices will be rebooted after 5 minutes (300 seconds) following the activation of the infection engine.
A full list of all features found in the latest version of the Kraken ransomware is the following:
- Anti-Forensics Module — Protects the malicious engine from discovering the behavior patterns by administrators.
- Anti-Reverse Module — Prevents the reverse engineering of the captured strains by analysts.
- Anti-Virtualization Module — This function will search for any virtual machine hosts and shut them down. This is done in case the strain is launched inside a virtual machine.
- Anti-SMB Module — Bypasses the SMB file-sharing network protocol security measure.
- Anti-RDP Module — This function will bypass the security measures of remote desktop servers which are widely used in corporate environments.
- Country Check Module — The ransomware engine will check if the regional settings matches the allowed country infections list.
- Keyboard Check Module — This module is a supplementary to the above. It checks the selected keyboard layouts for adhering to the allowed infections country list.
- Registry Check Module — The virus checks for the availability of certain Windows Registry entries and proceeds with the infection if the conditions are met.
- Fix Device Module — This procedure will manipulate the removable storage devices by setting up certain attributes and infecting them with the virus.
- Network Device Module — This module will intrude onto available network devices in the same network.
- Flash Device Module — When this is executed the removable storage devices will be flashed with the Kraken ransomware and/or additional payloads.
- Extension Bypass Module — This module will bypass the security scans undergone by web browsers and online services.
- Rapid Mode — A burst infection behavior pattern which leads to a significantly quicker ransomware delivery.
The modular framework used by the Kraken ransomware appears to have a slight resemblance to GandCrab. This shows a clear influence from the later — it is possible that the behavior patterns or parts of the source code have been taken from it. Another hypothesis is that the developers of these two may know each other through the underground hacking communities.
What sets apart this threat from other similar ransomware is that it also features a tracking API. It allows the ransomware operators and affiliates to track in real-time the number of infected computers.
All of this shows that there is a very serious risk of damage following an active infection. Hackers are actively working on implementing new features to it. As such we recommend that computer users always employ a trusted anti-malware tool.