During the weekend, Kraken Cryptor ransomware version 2.0.6 was released and infected victims. This version is being distributed via malvertising and the RIG exploit kit. Kraken will connect to the BleepingComputer site during different stages of its encryption process. In the new version, the URL “https://2no.co/2SVJa5,” which belongs to the service IPlogger. IPlogger allows a user to create a shortened URL and to track statistics on how many times it has been used. At the time of writing this article, the new version has infected over 200 victims. The shortened URL would redirect to Google in the past, however it now redirects victims to the BleepingComputer website. During the first encryption stages, the ransomware calls the “smethod_4” function with the shortened URL and the string “Begin.” According to researchers, “The smethod_4 will then connect to the shortened URL using the user agent ‘Kraken web request agent/v2.0.6’ and with a referrer containing various information, including the passed status argument, which in the above case is ‘Begin’”. Once encryption is finished, Kraken will connect to BleepingComputer again via the shortened URL, however this time, the status is the “End:” string with the total amount of encrypted files appended to it. The creators of the ransomware can then utilize the IPlogger service to check the statistics of the victims that connected to the shortened URL. Users are advised to ensure that they have working backups and that their security software is updated.
