Threat Watch

Fallout Exploit Kit Installs Kraken Cryptor Ransomware

First seen in August 2018 distributing the GandCrab ransomware, the Fallout Exploit kit has recently switched to the Kraken Cryptor ransomware. The Kraken Cryptor ransomware is a RaaS (ransomware as a service) that is currently being distributed by affiliates. Because it is an affiliate system, attackers have been seen distributing the ransomware in many different ways. Earlier this week, the exploit kit was distributing version 1.5. As of October 4th, 2018, the exploit kit can be seen distributing version 1.6. According to researchers, “Victims encounter the exploit kit by visiting compromised sites that redirect them through a series of gateways that ultimately land them on the page hosting the Fallout Exploit kit.” Once installed, the ransomware will encrypt files on the victim’s machine. In previous versions of the ransomware, sequential numbers were used for the filename and would append “Lock.onion.” This version renames the encrypted files with a random name and extension. During the encryption process, the ransomware also creates a ransom note titled “How to Decrypt Files-[extension].html.” This will give the victim instructions on how to contact the attacker and how to pay the desired ransom. There is currently no way to decrypt the files for free at the time of writing this article.

ANALYST NOTES