#1229334: Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program
The Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it.
Kraken Cryptor Ransomware 1.5 masquerading as SuperAntiSpyware
MalwareHunterTeam, who has been tracking Kraken Cryptor since it has been released, discovered the new variant this morning. When looking at its entry on VirusTotal, he noticed that VirusTotal was reporting that the Kraken Cryptor installer had been distributed directly from superantispyware.com.
The file name for the legitimate SuperAntiSpyware Free installer is called SUPERAntiSpyware.exe. The Kraken Cryptor installer spotted by VirusTotal was called SUPERAntiSpywares.exe. The only difference between the two names is the addition of a s to the malicious executable. This malicious executable is no longer available from superantispyware.com.
You can further see how Kraken Cryptor is trying to masquerade as SuperAntiSpyware by utilizing the same icon as shown below.
It is important to note that the SUPERAntiSpyware.exe executable was not compromised and continued to install the legitimate version of SuperAntiSpyware. So users who installed SuperAntiSpyware via the normal links were not affected.
At this point, we do not know how users were being directed to the malicious SUPERAntiSpywares.exe executable. Bleeping Computer has made numerous attempts to contact SuperAntiSpyware via email, phone, and Twitter for comment, but have not received a response at the time of publication.
Disclosure: BleepingComputer.com is an affiliate for SuperAntiSpyware.com and other anti-malware products.
How the Kraken Cryptor Ransomware encrypts a computer
The Kraken Cryptor Ransomware provides good insight into how it encrypts a computer due to an embedded configuration file that is easily exported. This configuration file contains a list of modules and if they are enabled, processes to stop, the public encryption key, emails, ransom prices, extensions to encrypt, files and folders to to be skipped, countries and languages that won't be encrypted, and more.
When executed, the ransomware will perform a series of steps that are listed below, but may not be in the exact order in which they are executed.
The ransomware will create a file called C:\ProgramData\Safe.exe and execute it. This program will then enumerate a list of all the Event Viewer logs and redirect the output to the C:\ProgramData\EventLog.txt file.
C:\Windows\system32\cmd.exe /c wevtutil.exe enum-logs > "C:\ProgramData\EventLog.txt"
The program will then remove all the logs listed in the Eventlog.txt.
Kraken Cryptor will also check the language and location of the victim, and if in the following countries, will not encrypt the computer.
Armenia, Azerbaijan, Belarus, Estonia, Georgia, Iran, Kyrgyzstan, Kazakhstan, Lithuania, Latvia, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, and Brazil
In order to prevent processes keeping databases open and unable to be encrypted, the ransomware will terminate the processes listed below.
agntsvcagntsvc, agntsvcencsvc, agntsvcisqlplussvc, dbeng50, dbsnmp, firefoxconfig, msftesql, mydesktopqos, mydesktopservice, mysqld, mysqld-nt, mysqld-opt, ocomm, ocssd, oracle, sqbcoreservice, sqlagent, sqlbrowser, sqlservr, sqlwriter, sqlwb, synctime, tbirdconfig, and xfssvccon
# How to Decrypt Files.html
Krain 1.5 Associated Emails:
|Date added||Sept. 15, 2018, 2:17 p.m.|