Kraken Cryptor ransomware is a RaaS (Ransomware-as-a-Service) that was first seen in August of this year, but recently a variant of the Kraken Cryptor ransomware has been added to the Fallout exploit kit. Kraken Cryptor was originally distributed via phishing emails, but to boost profits the authors of Kraken Cryptor sold “licensing” to Fallout Exploit kit. Kraken communicates with its victims through email rather than though a C&C server to make it harder for authorities to track them. The newest version of the ransomware (V.2.0.7) can operate both on and offline. It is written in C# and targets Windows 8, 8.1, and 10. It utilizes AES-128/256 encryption along with other ciphers. It has the ability to encrypt both hard drives and shared storage devices on a network. It will also download and execute a utility that overwrites all free space on an infected drive with zeros making recovery more difficult and disables the recovery boot option. Attackers purchase the RaaS through an affiliate program that uses the ransomware created by “ThisWasKraken.”
In order to avoid being infected by this new variant, users are advised to always be cautious when opening links from unfamiliar sources which could contain ransomware. Even if a user receives a link from a familiar source, it is still a good idea to confirm that the user actually sent the link. A service such as Binary Defense’s typo-squatting monitoring could prevent phishing attacks by showing if any newly-registered domains mirror the company’s. The Binary Defense Vision platform would also help in detecting malicious activity from ransomware such as the Kraken Cryptor. Training for employees is always important to make them aware of common phishing attacks and what they could look like, as well as how to tell if an email is malicious. Security training can also teach employees to understand that when something seems suspicious, they should reconfirm the request via a phone call or email which is not contained within the same thread. The Fallout Exploit kit exploits CVE-2018-8174 and CVE-2018-4878 to deliver its payloads. Users can defend against the Fallout Exploit kit by keeping systems patched, enforcing the principle of least privilege, securing browsers, enabling firewalls, and employ whitelisting. As always, stay on the side of caution and always confirm.