Kraken Cryptor Header

As we cover ransomware extensively at BleepingComputer, some ransomware developers tend to interact with our site in various ways. This includes coming to the site to communicate with victims, releasing ransomware keys in our forums, or naming their command & control servers after our site's name.

Over the weekend, the Kraken Cryptor Ransomware released version 2.0.6, which now connects to BleepingComputer during different stages of their encryption process. It is not known what they are trying to achieve by doing this, but it does provide BleepingComputer with insight into the amount of victims being infected by this ransomware.

This new version was first spotted by exploit kit experts nao_sec and Kafeine who saw it being distributed via malvertising and the RIG exploit kit.

After sharing the file hashes and information with BleepingComputer, I was able to determine that since October 20th, 2018, this ransomware has been able to infect 217 unique victims from all over the world.

As Kraken Cryptor is written in C# it allows us to easily see how the program operates. In this new version a variable is created that contains the URL "https://2no.co/2SVJa5" as shown below. This URL belongs to the IPlogger.com service that allows users to create shortened URLs and track statistics of how many times it has been used.

The ransomware connects to this shortened URL so the developer can track statistics. In the past, the shortened URL would then redirect to google.com, but in this version it is redirecting to www.bleepingcomputer.com.

Shortened URL pointing to BleepingComputer.com
Shortened URL pointing to BleepingComputer.com

When the ransomware first begins to encrypt the computer it will call the smethod_4 function with the shortened URL and the string "Begin".

Encryption has Begun
Encryption has Begun

The smethod_4 will then connect to the shortened URL using the user agent "Kraken web request agent/v2.0.6" and with a referer containing various information, including the passed status argument, which in the above case is "Begin". Nao_Sec told BleepingComputer that the referer is built using the following information "referer is country code + drive size + status". 

Function that connects to BleepingComputer.com
Function that connects to BleepingComputer.com

When the encryption is finished, the ransomware will once again connect to BleepingComputer.com via the shortened URL. This time, though, the status is the "End: " string with the amount of encrypted files appended to it.

Encryption Has Ended
Encryption has Ended

The ransomware developer can then use IPlogger.com site to check the stats on the amount of victims who connected to the shortened URL.

I can see no reason to connect to BleepingComputer during its encryption process other than because we have covered this ransomware in the past and they felt like poking a little fun at us. Its insight, though, does tell us that ransomware, even in its diminished state, is still nothing to ignore. 

Make sure you have working backups, security updates installed, and be vigilant as ransomware infections can be devastating for unprepared businesses and consumers.

Update 10/22/18: Updated to clarify why it's using IPLogger.

Related Articles:

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - October 5th 2018 - Restaurant Shutdowns & Exploit Kits

Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords