Kraken Ransomware Upgrades Distribution with RaaS Model

Affiliates pocket 80 percent of every ransom payment.

The Kraken ransomware author has released a second version of the malicious code, along with a unique affiliate program on the Dark Web.

According to research into Kraken v.2 the new version is being promoted in a ransomware-as-a-service (RaaS) model to underground forum customers, via a video demoing its capabilities. Those interested can complete a form and pay $50 to join an affiliate program as a trusted partner. As affiliates, customers are given a new build of Kraken every 15 days, with updated payloads aimed at evading detection.

“We have seen ransomware criminals become more agile in their development cycle – quickly repairing any flaws pointed out by the security industry,” said John Fokker, head of cyber-investigations at McAfee, via email. “Where these repairs used to take about a week, it now only takes a day or sometimes even hours for them to adapt their ransomware. That’s why now more than ever it’s critical that businesses keep their security solutions update, run regular back-ups and avoid clicking on links or opening attachments with emails from unknown senders.”

Recorded Future’s Insikt Group and McAfee’s Advanced Threat Research team are credited for the Kraken v.2 research.

Insikt Group’s analysis showed that affiliates receive 80 percent of the paid ransom. After the victim pays the full amount, the affiliate member sends 20 percent of the received payment to the RaaS to get a decryptor key, which is then forwarded on to the victim.

Insikt Group also pointed out that affiliates must follow certain terms and conditions. For example, the program can reject any member or candidate without explanation; and, submitting Kraken sample files to antivirus services is forbidden. The service also provides no refunds for purchased payloads.

Kraken is one of the most popular up-and-coming RaaS offerings on the market, Fokker said, adding that the stats provided by its authors to affiliates shows that it has spread to 620 victims worldwide, despite being launched in wide distribution only since mid-August. Kraken’s first real campaign effort however only last month, when it was seen masquerading as a security solution on the website SuperAntiSpyware.

“Its growth underlines that ransomware-as-a-service continues to be a profitable business model and a cybercrime threat to be reckoned with,” Fokker said.

In September, researchers learned that Kraken had also been added into the Fallout exploit kit to up the ante on distribution.

“In the initial underground postings, it looked as if Kraken was still figuring out its business model, but Kraken has evolved since then by partnering with other key cybercrime services and being very communicative in the underground scene,” Fokker explained to Threatpost. “Success creates success. As long as the new RaaS groups get enough room and safety to grow and optimize their operations, it will be a profitable market and attract new players on the market. By offering it as a service, they make cybercrime available to the masses.”

The new approach dovetails with the overall trend of cybercriminals working together, he explained to Threatpost. The researcher added that while ransomware families overall are decreasing, RaaS and affiliate programs are growing among big players such as GandCrab, Scarab and the Obama ransomware.

“By working with trusted parties, RaaS developers can offer their affiliates an even easier way to profit from ransomware,” Fokker said. “This is a trend we are seeing steadily develop because affiliates no longer have to build partnerships themselves and thus they minimize their overall risk.”

Andrei Barysevich, director of Advanced Collection at Recorded Future, added that the as-a-service trend will continue to broaden the range of cyber-threats targeting businesses.

“The rapid adoption of Kraken Cryptor by the cybercriminals demonstrates that even the most simplistic ransomware, when coupled with reliable customer support, can quickly gain momentum,” he said. “There is a large number of unskilled criminals, who find the maintenance of ransomware infrastructure challenging or risky; however, they are eager to participate in more simplistic campaigns. Similar to 2017 we are beginning to notice an uptick in ransomware offers across many criminal communities and expect that 2019 will become a year of targeted attacks, both on businesses and high net-worth individuals alike.”

Suggested articles