A ransomware author's plans to launch a RaaS portal were foiled last week after security researchers from Malwarebytes managed to infiltrate the crook's command and control server, hosted on a common shared hosting provider.
Researchers said they first came across this service after they discovered a new ransomware sample on VirusTotal.
During an analysis of this new ransomware, which they initially nicknamed CryptoBlock, researchers observed the ransomware communicating with a domain at filecrypter[.]in.
These servers are usually called command and control servers, and house the ransomware's backend, where the malware sends decryption keys and information on each victim.
In most cases, C&Cs run on machines with no public-facing server frontend. This time around, the Malwarebytes team was surprised to find not only a public website, but also a website advertising a Ransomware-as-a-Service offering, called FileCrypter Shop.
From the countdown timer shown on the site's frontpage, it was clear to researcher that CryptoBlock's author was still working on the RaaS service.
Since the server wasn't properly set up, researchers managed to map some of the hosted files.
According to Malwarebytes, these were simple tutorials part of a "Learn PHP game." Since accessing the content of PHP files wasn't possible, researchers googled the names of these files.
This led them to several PasteBin pages, where they could see what was inside some of these files. With access to the code, it didn't take long for the Malwarebytes team to find a security flaw, which they could exploit.
And they did. Researchers used the flaw they've discovered to leak the content of the crook's config.php, which contained information such as the MySQL database name, username, and password.
Ironically, these usernames were also the same for the crook's entire hosting account, including Cpanel, SSH, and email server.
With this information in hand, researchers created copies of the crook's entire infrastructure, and are now ready to pass it to authorities in case the crook launches his FileCrypt RaaS.
Furthermore, since the crook worked on his service for at least three months, researchers were able to extract a list of IP addresses that accessed the RaaS' backend on a regular basis. The Malwarebytes team believes that one or more of these IPs will lead them back to CryptoBlocker's author.
Unfortunately, researchers can't be sure of his identity, as the hosting provider allowed the CryptoBlock author to register with only an email address (which researchers believe is a fake, and not the crook's real email).
The Malwarebytes blog includes more screenshots from the crook's hosting panel, including images related to server activity logs, ransomware operation, and even a database table full of stolen credentials from adult sites.