When the servers of the popular Ransomware-as-a-Service (RaaS) cyber-crime portal, Encryptor, were noticed by law enforcement, its operator got angry and decided to take it down once and for all. This would have been good new if he hadn’t deleted the master decryption key as well, taking away any opportunity for the victims to retrieve their lost data.
Deleting the key meant that the victims would never recover their files even if they were ready to pay the ransom demanded.
A Trend Micro security firm`s investigation reveals that the Encryptor RaaS service appeared in July 2015 and started to unravel in July 2016, exactly one year later. The company also says that the Encryptor`s operator wasn’t too careful with the protection of his serves, which contained information about the operation. He left one of the not hidden with the Tor service and unprotected.
According to Trend Micro, the server was named “Encryptor RaaS Decryptor” and it was easily discoverable via Shodan. Without wasting any time, the security vendor notified the US and European law enforcement agencies, which contacted the cloud provider where the server was hosted and had it seized.
Then, the Encryptor`s operator took down the whole service immediately. He, of course, tried to fix the problem in the next couple of days, but after two unsuccessful attempts and three more of his servers found, he finally gave up.
Angry by the fact that he couldn’t prevail and his lucrative operation had been shut down, the crook announced that he wouldn’t help the victims in any way. He refused to release the master key or the ransomware`s source code, leaving the victims in a very unpleasant position. He posted a message saying that if anyone wants their files back, they should pay quickly or else they will never recover their data.
Before it was taken down, the Encryptor RaaS was a very popular service among cybercriminals. The main reason for this is that the author took only 5% cut for himself compared to other similar services asking for 20% to 40%. Other than that, the service was updated on regular basis and its creator had heavily invested in anti-AVs, like stolen digital certificates. Last but not least, what contributed to the service being so popular was the fact that besides Windows variant it also had a Linus version.
The takedown of Encryptor RaaS is the first time Trend Micro security firm managed to shut down a service of this kind.
“It’s a fairly new business model, but the fact that it went away so quickly is reason to be cautiously optimistic that public private partnerships and LE [law enforcement] actions […] will make it an infeasible business model.” – said Rik Ferguson, VP Security Research at Trend Micro – “It doesn’t seem to be a particularly attractive or sustainable model for ransomware. Not if the affiliates are intelligent anyway.”
