Name

Encryptor Raas

Type

ransomware as a Service

Encryption Type

Short Description

The code of the downloaded ransomware of website contains references to GNU for java. This GCJ can be used to compile the java to an executable .

Symptoms

Distribution Method

Usb drives, spam email’s.

Image

More Details

There are Three option given for ransomware tool:

Price of Ransom- total amount of money that is to be paid by infected user to recover their encrypted files.

Price of ransom after timeout- If the user is not able to pay within the specific time limit this option can be used, Usually this will be at a higher stake of value.

Timeout- the total time that is left in order to pay the ransom.

Once the affiliate successfully signs up a Customer ID will be generated and embedded in the generated ransomware executable. This helps the seller to identify which are the victims associated to which affiliate.

The routine of Ransomware:

The code of the downloaded ransomware of website contains references to GNU for java. This GCJ can be used to compile the java to an executable .

Once the ransomware is executed it proceeds by collecting the GUID of the system, then enumerates drives to look for files that it will encrypt. Once this process is done, it starts to look for some particular file types to encrypt based on list in its body. The below given is the full list of targeted file types:

This is programmed in a manner that it avoids encrypting files with the filename “wallet.dat” because this is a Bitcoin wallet file. The infected persons will surely need this in order to complete the ransom that is demanded.

For each ecrypted file the ransomware appends its own 8-byte infection marker, This checks before encrypting the file.

After successfully exploiting the victims device, the malware opens the website” hxxps://decryptoraveidf7.onion.to/vict?cust={customer ID}&guid={machine GUID}” on browser that displays the conten as.