Kraken Ransomware: What To Do If You’re Infected

Graphic for Tetra Defense Ransomware 101: Kraken


What is Kraken Ransomware?

The Kraken Cryptor ransomware was first discovered in August of 2018. It was part of a new wave of ransomware that used an affiliate ‘business’ model to license the malware to threat actors for mutual financial gain. According to McAfee, the Kraken Cryptor ransomware has links to Russia, much like GandCrab, but to this date, the software engineers’ identities are unknown.

Kraken’s malware authors operated a ‘ransomware-as-a-service’ (RAAS) offering, meaning the hackers would license the malware to threat actors for a small charge. A 20% charge was also due after the victims paid up. The malware writers would only release the decryption key after being paid the fee.

In return, threat actors would receive updated malware revisions every 15 days to bypass any fixes developed by cybersecurity specialists and to keep the payload undetectable by antivirus and anti-malware software.

In total, nine versions of Kraken Cryptor have been identified, and all versions targeted vulnerable Windows operating systems using the Fallout Exploit Kit. The Fallout EK targeted weaknesses in Adobe Flash Player and the visual basic script engine (VBScript) to inject malicious code from malware advertisements.

How Does Kraken Cryptor Work?

The very early versions of Kraken Cryptor spread using malvertising on rogue websites. Spam email campaigns with malware-infected attachments were also prevalent. The advertisements attempted either to trick the user into downloading the malware application or would maliciously inject the malware.

Kraken developers infiltrated an anti-malware site called SuperAntiSpyware, hijacking legitimate downloads with the Kraken malware. The masquerading of legitimate websites and software is not an overly common practice, and without a doubt, this method of delivery intensified in the impact of Kraken ransomware.

The user base of affected victims was unusually broad with Kraken, especially on users who had not updated their operating systems and antivirus to the latest levels of protection. The Fallout Exploit Kit is especially nasty and allowed Kraken to spread rapidly with a high infection rate.

Once a system is compromised, the first task the malware executes is to delete all system event logs, most likely to reduce the evidence of how the Fallout EK works and mask the identity of the threat actors involved.

System restore points, VSS shadow copies, Windows backups, and startup recovery features are then deleted or disabled. The malware then proceeds to encrypt all non-system files with a numeric string and adds the “-lock.onion” file extension.

A ransom note is copied into nearly all folders on the compromised system, and the system wallpaper is changed. Demand for ransom payment is in bitcoin to a collection of bitcoin wallets. The ransom varies per Kraken victim; ransoms of up to $7500 have been reported, and some of the ransom payment bitcoins were subsequently laundered via the BitCoin Penguin online casino.

The Kraken Cryptor is written in the C# programming language; this is unusual as it makes it very easy to understand how the malware operates. Files are encrypted in AES128 / 256 / RSA / Salsa20 and RC4 ciphers, making decryption without the master key impossible. To this date, no one has successfully cracked the Kraken encryption method without paying the ransom.

How Do I Prevent Kraken Ransomware?

The Kraken ransomware payload is delivered by exploiting two known vulnerabilities in the Windows operating system via Adobe Flash and VBScript back doors. The only way to combat this is to ensure that the computer infrastructure is patched and updated with the very latest Windows updates. If possible, disable Adobe Flash Player on your system; in new operating system updates, Windows has started blocking Flash by default.

Educating users regarding web surfing best practices is a great way to limit the impact of any strain of ransomware. Kraken spread using malvertising, which is prevalent in the “underbelly” of the internet, including websites like P2P sites, BitTorrent sharing sites, and free software or “warez” sites, to name a few.

Backups are an essential strategy to stay one step ahead of the threat of ransomware. Often the only way to roll back from a ransomware outbreak is to restore the system from a backup. Having the ability to restore an entire computer infrastructure from backup or being able to leverage a disaster recovery solution can significantly mitigate the risk associated with ransomware.

Several additional standard measures should be taken to protect yourself from ransomware infection:

  • System Inventory – One of the first steps to follow, particularly if you are a business, is to complete an inventory of all your business assets. This list will include all digital assets such as servers, desktops, laptops, network equipment, and digital infrastructure. Cataloging assets you own will allow you to create a baseline to work towards system restoration if any systems are infected.
  • Risk Analysis – Conduct a cybersecurity risk analysis using the baseline created with the system inventory. This process will allow you to identify security weaknesses and create a priority list of what to fix first.
  • Disaster Recovery – Create and test a disaster recovery plan, including a scenario where a total outage is the result of ransomware.  This might be a high availability DR set up in a secondary site or with a cloud provider.
  • Penetration Testing – This is a technique of testing external and internal computer infrastructure against all known vulnerabilities. Pen testing and vulnerability scanning will generate a list of recommended fixes needed to harden the infrastructure.

How Do I Remove Kraken Ransomware?

There is no known decryptor for the Kraken ransomware, and unless you have a viable backup of the server, the only way you get your data back is by paying the ransom. Payment of ransom is the last resort, and we do not recommend paying the ransom unless all other options have been exhausted.

If you are in the difficult position of not having a backup, and you urgently need your files, the incident response experts at Tetra Defense can help. Our incident response firm prioritizes restoration to get businesses back to where they were before the ransomware attack.

We approach ransomware restoration and investigations simultaneously so you can return to normal business operations while you are getting answers. Our teams are standing by to focus on what matters most: your business!

We survey the ransomware outbreak and perform an initial assessment to identify the best course of action. If deemed necessary, we can conduct ransom negotiation and, if needed, can facilitate payment.

We remove the threat from your system and conduct malware scans and network threat hunting. Each incident is leveraged to learn from the ransomware attack and discover the root cause of the event. Once the decryption keys are obtained, we decrypt the data and get systems restored to full functionality as quickly as possible.

Example of Kraken Ransom Note

Screenshot of the Kraken ransom note




Get Help with Kraken Ransomware

If you’re ready to get help removing Kraken ransomware from your critical systems, contact Tetra’s incident response team today. We will reach out for an assessment and build a plan to get your systems up and running once again.

Check out some related content on our blog: