Threat Spotlight - Encryptor RaaS Update

The rise of the Internet has given birth to a million shady 'get rich quick' schemes, but among the most intriguing and concerning trends to emerge from the dark web in recent years is the rising popularity of turnkey ransomeware kits, known as ‘Ransomware as a Service’, or RaaS for short.

Ransomware as a Service is something near and dear to my heart. I followed it very closely in a past life [1] and continue my ‘obsession’ to this date. Essentially, RaaS malware kits enable anyone with an Internet connection to sign up and build/ deploy a piece of unique ransomware in just a few easy steps. No technical knowledge is required beyond the ability to set up a Bitcoin or similar account to collect the ransom.

In most cases, the RaaS site owner collects a percentage of the ransom as payment, and/or charges a small fee for the initial setup service. Tox'and many other RaaS offerings have come and gone, but a handful are still around, despite the lack of stealth and the ‘obviousness’ of their operating model.

Encryptor RaaS has been around for nearly a year, since mid-2015. This piece of ransomware is available exclusively on an .onion domain on the TOR network. The ransomware author charges a 20% fee for every infected victim who pays the ransom, which is made in Bitcoin.

The Encryptor RasS numbers to date are as follows:

Total Number of Victims = 1818
Total Number of Victims Who Have Paid = 8 (0.44% of total users infected)


Figure1: Encryptor RaaS screenshot (March 2016)

In the grand scheme of things, these are not impressive or successful numbers when compared with, say CryptoWall, which infected over 625,000 machines in its first five months of operation. But the fact that the Encryptor site is still up and the model is still working is worth noting.

This is especially concerning considering the fact that every day the detection rates of traditional antivirus (AV) vendors are updated (via tests against NoDistribute). Detection rates for Encryptor RaaS are currently fluctuating between a 0/35 and 1/35 rate amongst the scanners that are included in NoDistribute’s test:

Encryptor_RaaS_2.png Encryptor_RaaS_3.png

Figure 2: NoDistributes’s test results for Encryptor RaaS

The current FAQ and Changes.txt boast some interesting updates as well. Most notably:

2016-02-17: It came to my attention that developers of other ransomware families are using my free file signing service. It's not kind to make financial profit and not even donate to me!

2016-03-09: Code signing is disabled until further notice due to a lack of certificates. I would be glad if I would receive some donations and/or certificates.
2016-03-18: I've got two stolen authenticode certificates for sale. The highest bid wins. It's OK to bid just for one and the end of the auction is not determined yet. (Details: SHA1 and SHA256, both are valid until late 2018, they aren't issued to the same name and I would use them for my service instead if they wouldn't be valid for that long).

And this from Changes.txt:

  • 016-03-04: Evaded the Bitdefender engine, Avast, AVG and ESET.
  • 2016-03-05: Evaded ESET.
  • 2016-03-06: Evaded ESET and the Bitdefender engine.
  • 2016-03-09: Evaded Avast and ESET. Code signing is disabled until further notice.
  • 2016-03-10: Evaded AVG, Dr. Web, ESET, the Bitdefender engine and MSE.
  • 2016-03-11: Evaded Avast and ESET. Just screw you, ESET. Can you imagine, how much you're annoying the hell out of me?
  • 2016-03-13: Evaded Avast, Dr. Web and ESET.
  • 2016-03-17: Evaded AVG, ESET and the Bitdefender engine.

When you study the available information, it just tells us that this lab experiment/malware is still being actively developed, albeit with a very low adoption or success rate. Attempts to evade traditional AV products and technologies are adjusted almost daily.

Technical Details: 

Encryptor RaaS utilizes a combination of RSA-2018 and RC6 (varies), with each file being encrypted with a unique key. A list of encrypted file extensions is as follows:

0     -0     000     001     002     003     004     005     006     007     008     009     1     -1     10     -10     11     -11     12     -12     13     -13     14     -14     15     -15     16     -16     17     -17     18     -18     19     -19     2     -2     2fs     3     -3     3dm     3ds     3g2     3gp     4     -4     5     -5     6     -6     7     -7     7z     8     -8     9     -9     aac     abbu     abw     accdb     adr     ahk     ai     aif     alt     ape     apk     arc     arv     as     asc     asf     ashdisc     asm     asmx     asp     aspx     asx     aup     avi     ba0     backup     bak     bas     bbb     bc     bc!     bcmx     bdb     bde     bdf     bdg     bdi     bdk     bdl     bdm     bdmv     bdsproj     bdw     bdx     bee     ben     bes     bex     bexpk     bf     bf2     bfa     bfb     bfe     bff     bgz     bhx     bib     bibtex     bik     bkf     bkp     bks     bkup     bmp     bpl     bpn     bson     btd     bz2     c     c++     cad     cadp     caf     cbu     cc     cda     cdf     cdi     cdr     cdx     cer     cert     cfc     cfg     cfm     cgi     chk     chr     class     cnt     cod     conf     cpio     cpp     crd     crt     crypt7     cs     csproj     csr     csv     cue     d64     data     db3     dbf     dbt     dbx     dcp     dds     ddz     del     dem     deviceids     df     dfd     dfproj     dia     dir     diz     dlc     dmg     doc     docm     docx     dot     dqy     dsb     dsn     dta     dtr     dtv     dwg     dxf     ebk     eddx     edoc     elfo     eml     emlx     enc     eps     epub     es     es~     ex4     exp     fdb     fdf     ff1     ffa     ffl     ffo     ffs_db     fft     ffu     ffx     fh10     fh11     fi2     fig     fil     flac     flg     flp     flv     fmd     fpt     ftp     gam     gar     gbc     gcode     gho     ghs     gid     gif     gla     gpg     gpx     gz     h     h++     hbk     hdd     hds     hex     hpp     hst     htc     hwp     hwp     ico     ics     idml     idx     if     iff     imb     img     imh     iml     imm     in0     indd     ini2     int     ipd     iso     isz     iwa     j2k     jad     jar     java     jdb     jks     jmf     jp2     jpeg     jpf     jpg     jpm     jpx     json     jsp     jspa     jspx     jst     k1f     kb1     kcf     kch     kcl     kdb     kdbx     key     keynote     kml     kmz     knt     kpr     lbl     ld     ldif     lib     lic     lis     lpd     ls     ltx     lwp     lyc     lyt     lzma     m3u     m4a     m4v     mab     mar     max     mb     mbox     mcs     md2     mdb     mdbackup     mddata     mde     mdf     mdi     mdinfo     mds     mdw     mdx     mid     mke     mkv     mmf     mnu     mobileprovision     mod     mon     mov     mozeml     mp3     mp4     mpa     mpb     mpeg     mpg     mpj     mpp     mq4     mqh     ms     msf     msg     mso     mta     mts     mus     myd     myf     myi     nam     nap     nba     nbf     nbi     nbu     nbz     nco     nes     net     new     nfo     nick     nng     note     nr     nrg     nri     nru     ns     nzb     oa4     oac     odb     odc     ods     odt     ogg     old     ops     opt     or4     org     otm     ott     ova     ovf     ovpn     oxps     p     p12     p2i     p65     p7     pages     pbi     pct     pdf     pdfx     pehape     pem     pfq     pfx     pgp     php     php3     php4     php5     phps     phpx     phpxx     phtm     phtml     pid     pins     pip     pk     pl     plist     pmd     pmk     pmx     pnf     png     ppdf     pps     ppsm     ppsx     ppt     pptm     pptx     pref     prn     prt     ps     ps1     psd     pspimage     pst     ptn     ptn2     pub     pvm     pwd     pwi     px     py     pym     qbquery     qcn     qcow     qcow2     qt     qxp     r0     ra     rar     raw     rdp     recipients     recipientsbackup0     recipientsbackup1     recipientsbackup2     recipientsbackup3     recipientsbackup4     recipientsbackup5     recipientsbackup6     recipientsbackup7     recipientsbackup8     recipientsbackup9     rm     rpb     rtf     s     sam     sav     sb     sbf     scv     sdc     sdi     sds     sdx     sdy     secure     seed     sel     seq     set     sfs     sfv     shlb     shs     skb     skd     skp     slf     sln     slt     sme     smk     smm     smp     smr     sms     spb     spi     spro     sql     sqlite     sqlitedb     srp     srt     srv     ssc     ssi     sss     stf     stg     stl     stw     sub     suo     svg     swf     sxw     symbolmap     syncdb     tag     tar     tav     tb3     tc     tdl     tex     tga     thm     tib     tif     tiff     tlx     toast     torrent     tpl     ts     tv     tvc     txt     ucd     ufo     user     val     vbk     vcard     vcd     vcf     vcs     vdi     vfs4     vhd     vhdx     vir     vmc     vmdk     vmx     vob     vsd     vsv     wab     wallet     war     wav     wbk     wbverify     wc     wdseml     webarchive     webm     whtt     wim     win     wlt     wma     wmb     wmv     workflow     wpb     wps     wsb     xdw     xed     xg0     xg1     xg2     xlg     xlk     xlr     xls     xlsb     xlsm     xlsx     xlt     xlw     xoml     xsn     xz     yg0     yg1     yg2     yuv     z     zip     zipx

Encryptor RaaS is also currently capable of signing your generated code via “stolen” Authenticode certificates. The latest update on this can be seen on the site as well:

Encryptor_RaaS_4.png Encryptor_RaaS_5.png

Figure 3: Stolen Authenticode certificates for sale via a third-party website

Setup Steps:

The basic model for setting up Encryptor RaaS has not changed since its inception:

  • 1. Enter a BTC address (for payment, and this serves as a unique ID in the Encryptor RaaS system)
  • 12. Enter price for decryption prior to timeout
  • 13. Enter price post-timeout
  • 14. Enter timeout
  • 15. Enter number of files that can be decrypted for free
  • 16. Enter custom filename
  • 17. Toggle code signing (currently unavailable)
  • 18. Toggle UAC behavior/level


Figure 4: Input fields for Encryptor RaaS setup


Upon generation, you are provided with a W32 EXE file with the name of your choice:


Figure 5: Final output of the Encryptor RaaS application.

Upon execution, decryption instructions are written to the user’s %TEMP% directory as 'readme_liesmich_encryptor_raas.txt' ('liesmich' is German for ‘read me’). The victim is then presented with a webpage, with the default browser window open to the corresponding decryptor/message site via URL:


Figure 6: Screenshot of ransom message displayed to Encryptpor RaaS victims.

It is also important to note that like many other recent ransomware families (including Locky), Encryptor RaaS will directly target and delete VSS (Volume Shadow Copies) on the victim's machine via the following command: 

            cmd.exe /c vssadmin Delete Shadows /Quiet /All

Encryptor RaaS also attempts to modify local proxy settings and appears to detect various virtual environments to evade analysis.

The decryption site(s) are readily visible as well:


Figure 7: Demo Decryptor site.



Figure 8: Live Decryptor site.

CylancePROTECT® vs. Encryptor RaaS

In-the-wild samples of Encryptor RaaS will be unique based on the nature of the service. This would be a handicap with traditional endpoint AV technologies. Because each piece of Encryptor RaaS software is unique depending on the parameters set by the service user, AV vendors can’t build exact detection. Generic detection is also a challenge, when considering the potential risk of false positives that must be weighed.

Let’s take a look at the current detection rates provided by the Encryptor RaaS author via NoDistribute:


Figure 9: Results of NoDistribute vs. Encryptor RaaS

35 different AV products were run on the Encryptor RaaS .exe file, but only one product detected it (the single detection was a heuristic hit). Think about that: one single detection on a very ‘obvious’ piece of malicious malware that has been available free for nearly a year, for any and all to analyze and mitigate against. (This is not the first blog on this threat either.) 

The bottom line is that there is no reason whatsoever why current AV/endpoint technologies are missing this. To compare, I uploaded my own copy of Encryptor RaaS to NoDistribute to see how the results compared with the daily test by the malware author.

Sure enough, I have the exact same [2] results!!!!


Figure 10: Encryptor RaaS detection results on NoDistribute.

In contrast, CylancePROTECT detects all the code generated as Encryptor RaaS, even though it uses models developed prior to the creation of the malware.

Here are the results of a single detection scan by CylancePROTECT. As you can see, CylancePROTECT both detected and blocked Encryptor RaaS, despite never having ‘seen’ this particular iteration of Encryptor before:


Figure 11:  Encryptor RaaS detection results in CylancePROTECT.

Believe the Math!


[2] Scanning with a different, more ‘mainstream’ service still resulted in a 5/54 detection ratio