This system is similar to another affiliate ransomware we have seen in the past called Tox except this service has a unsophisticated setup and a non-existant affiliate console. In fact an affiliate has to rely on their own distribution method to determine how many of their ransomware infections have been installed and to trust the RaaS dev to deliver payments.
An interesting string found within the executable also indicates that portions or the entire ransomware may be written in Java. When examining the executables, there was a reference to the libgcj-16.dll, which is part of the The GNU Compiler for the Java Programming Language, otherwise known as GCJ. GCJ allows Java programs to be compiled into native Windows executables. If this ransomware was indeed programmed in Java, this would be the first one we have seen created in this way.
As the distribution of the ransomware executable is left up to the affiliate, there is no specific file location or method of infection for this ransomware. When the ransomware is installed, it will encrypt files based on their extension and uses a custom encryption method that is currently unknown. Encrypted files will retain their original extensions. The files extensions that are targeted are:
abw,accdb,ai,aif,arc,as,asc,asf,ashdisc,asm,asp,aspx,asx,aup,avi,bbb,bdb,bibtex,bkf,bmp,bpn,btd,bz2,c,cdi,cer,cert,cfm,cgi,cpio,cpp,crt,csr,cue,c++,dds,dem,dmg,doc,docm,docx,dsb,dwg,dxf,eddx,edoc,eml,emlx,eps,epub,fdf,ffu,flv,gam,gcode,gho,gif,gpx,gz,h,hbk,hdd,hds,hpp,h++,ics,idml,iff,img,indd,ipd,iso,isz,iwa,j2k,jp2,jpf,jpeg,jpg,jpm,jpx,jsp,jspa,jspx,jst,key,keynote,kml,kmz,lic,lwp,lzma,m3u,m4a,m4v,max,mbox,md2,mdb,mdbackup,mddata,mdf,mdinfo,mds,mid,mov,mp3,mp4,mpa,mpb,mpeg,mpg,mpj,mpp,msg,mso,nba,nbf,nbi,nbu,nbz,nco,nes,note,nrg,nri,ods,odt,ogg,ova,ovf,oxps,p2i,p65,p7,pages,pct,pdf,pem,phtm,phtml,php,php3,php4,php5,phps,phpx,phpxx,pl,plist,pmd,pmx,png,ppdf,pps,ppsm,ppsx,ppt,pptm,pptx,ps,psd,pspimage,pst,pub,pvm,qcn,qcow,qcow2,qt,ra,rar,raw,rm,rtf,s,sbf,set,skb,slf,sme,smm,spb,sql,srt,ssc,ssi,stg,stl,svg,swf,sxw,syncdb,tar,tc,tex,tga,thm,tif,tiff,toast,torrent,tpl,ts,txt,vbk,vcard,vcd,vcf,vdi,vfs4,vhd,vhdx,vmdk,vob,wbverify,wav,webm,wmb,wpb,wps,xdw,xlr,xls,xlsx,xz,yuv,zip,zipxFinally, when the ransomware has finished encrypting your files it will create a ransom note on the Windows Desktop called encryptor_raas_readme_liesmich.txt. This note will contain information about what happened to your files and a link to the payment site. These instructions will be in both English and German.
An example of the encryptor_raas_readme_liesmich.txt can be found below.
ATTENTION! The files on your computer have been securely encrypted by Encryptor RaaS. To get access to your files again, follow the instructions at: https://decryptoraveidf7.onion.to/vict?cust=<cust_id>&guid=<affiliate_id> ACHTUNG! Die Dateien auf Ihrem Computer wurden von Encryptor RaaS sicher verschluesselt. Um den Zugriff auf Ihre Dateien wiederzuerlangen, folgen Sie der Anleitung auf: https://decryptoraveidf7.onion.to/vict?cust=<cust_id>&guid=<affiliate_id>Finally, the ransomware will open the TOR payment site titled Encryptor RaaS Decryptor that provides information on how many bitcoins you must send and the bitcoin address you need to send it to. An example page can be seen below:
The ransomware itself does not delete Shadow Volume Copies or perform secure deletions of encrypted files. Therefore, unless the affiliate incorporates these types of protection into their distribution method, it is possible to restore your files using a program like Shadow Explorer or file recovery software.
A big thanks to Nathan Scott and Cody Johnston for assisting in the analysis of this ransomware. I would also like to thank pete255 for posting about it on Reddit.