Kraken Ransomware Masquerades As Legit Software

by

A ransomware program named Kraken Cryptor is disguised as the popular anti-malware program, SuperAntiSpyware. Users are being tricked into installing what they think is anti-malware protection but which is really a wicked app that encrypts their data and demands money in exchange for the key to decrypting it. Here’s how to avoid traps like this…

The Kraken Has Been Released!

In legend and lore, the Kraken is a terrifying beast that can wreak havoc on humanity. On the Internet, it’s pretty much the same, but without all those teeth and tentacles.

It’s bad enough that ransomware exists, but it’s really bad when it pretends to be something good. Somehow, the malicious purveyors of Kraken Cryptor managed to invade SuperAntiSpyware.com and serve up ransomware instead of the anti-malware program that users expected. This is a bad guy’s fondest dream and the worst nightmare of users and anti-malware developers.

Kraken Cryptor is “malware as a service,” a program maintained on a central server and called by Javascript code planted in a web page. It can attack from any page that is vulnerable to code injections from third-party bad actors. There are many such pages. There are plenty of malicious “script kiddies” who need few technical skills to plant Kraken Cryptor in your favorite website’s home page.

Kraken Cryptor first appeared on security researchers’ radar in August. Malware Hunter Team, a group of security researchers, has been tracking Kraken Cryptor since then. The team discovered the disguised version 1.5 of Kraken Cryptor at SuperAntiSpyware’s site on September 14, 2018, and sounded the alarm in a series of Tweets. important to note that Kraken Cryptor is a “new improved” variant of plain old Kraken malware, which is not ransomware. It’s easy to confuse the two. Also important: avoiding Kraken Cryptor is NOT as simple as staying away from SuperAntiSpyware.com.

If you downloaded the legitimate installer (without the “s” at the end) then you are safe; Kraken Cryptor has not infiltrated that file. The legit installer will install Super Anti Spyware as expected. A statement from SuperAntiSpyware.com says that the rogue file was somehow uploaded to their download server, but it was “discovered and removed within several hours.” Kraken Cryptor is now being distributed by “affiliates” using an exploit kit that can be used to host the ransomware on compromised websites.

Curiously, Kraken Cryptor checks the language and location of the target computer and will not encrypt machines located in certain countries; those nations are Armenia, Azerbaijan, Belarus, Estonia, Georgia, Iran, Kyrgyzstan, Kazakhstan, Lithuania, Latvia, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, and Brazil. Yes, you could immunize your PC by moving to Kazakhstan, or changing your location setting to one of the “exempt” nations. But if you do not read and write that nation’s language, it won’t do you any good.

The ransom demanded by Kraken Cryptor is one-eighth (0.125) of a Bitcoin. The price of a Bitcoin fluctuates wildly but as I type this the ransom is about $800 USD.

Kraken Cryptor takes multiple steps to make it impossible to decrypt one’s hostage data without paying the ransom. The only free recovery hope is a recent clean backup copy of your data. You could pay the ransom, but I advise against doing so.

First, there is no guarantee your data will be decrypted if you pay. The promise of a crook is worthless. It would make more sense, from the crook’s perspective, to demand even more money once it is determined that you are willing and able to pay. Second, paying a ransom encourages more ransomware. You could become known as an easy mark, and the target of multiple extortionists.

Kraken Cryptor even displays the same thumbnail icon as the real SuperAntiSpyware. It’s possible that the authors of Kraken Cryptor did one small good deed, but it may just as well have been a mistake. The legitimate installation file for SuperAntiSpyware is named SUPERAntiSpyware.exe. The disguised Kraken Cryptor installation file is named SUPERAntiSpywares.exe. The only difference apparent is the addition of a letter “s” at the end of the filename.

Protecting Against Kraken and Other Forms of Ransomware

Instead, protect yourself against ransomware by a) maintaining current, tested backups of all your important data. Read past blog here 9 good reasons to backup will get you started on the road to painless, automatic backups that are immune to ransomware infection.

Another idea is to use security software that monitors the behavior of all running programs, and blocks any action that might lead to encryption before actual harm is done. MalwareBytes Anti-Malware is one paid security suite that has this “behavior analysis” feature.

But there’s an even better option. Instead of relying on “blacklists” of known viruses, and giving potentially rogue programs a chance to test their mettle against your security software, why not block ALL programs from running, unless they are known to be legit? That “whitelist” approach is implemented in PC Matic’s Super Shield, which only lets known good programs run on your computer.

Have you been sucker-punched by ransomware? If so, how did you handle it? If not, do you think you are vulnerable?

Have a great week!

ZI Staff