After authorities seized servers belonging to Encryptor Rass, a Ransomware-as-a-Service cybercriminal website, the operator of the site decided to shut down the whole service and deleted the master decryption key, which would allow victims to recover their data. Even if ransomware victims were willing to pay, they couldn’t since the decryption key is deleted.
Encryptor Raas started in July 2015, however, it became a major player only a year later. Cybersecurity firm Trend Micro had conducted a research on the website and helped law enforcement authorities seize the servers. According to the company, the Encryptor Raas admin made a careless mistake. He left one of the servers storing valuable information unprotected online. He forgot to hide it using the Tor network.
According to Trend Micro, the server named “Encryptor RaaS Decryptor” was easy to find via Shodan, a search engine where users can find IoT (internet of things) devices. The firm added that anyone who knows what to look for could find the server with ease. The security company contacted law enforcement agencies in Europe and in the US that reached the cloud service provider where the server was hosted and seized it.
After the law enforcement operation, the Encryptor Raas admin immediately shut down the service. He attempted twice to get his website back to life in the next four days, but he failed. In the meantime, authorities seized three more of his servers. After all this, the operator decided to give up.
As a revenge against law enforcement authorities, the cybercriminal announced he wouldn’t help the victims. He didn’t release the source code nor the master decryption key, which could have helped victims to recover their precious data.
In comparison to the current case, the operators of the TeslaCrypt ransomware released the master decryption key when they closed down their business. Both the victims who did pay and did not pay could get back their data.
Encryptor Raas was one of the most popular Ransomware-as-a-Service sites since it asked for only five percent from the customers, while other providers usually took their cut between 20 and 40 percent. The service received regular updates and the operator had heavily invested in anti-AV detection measures, such as using stolen digital certificates. In addition to that, Encryptor Raas had a Linux variant of the ransomware too, outside of the Windows version.
Encryptor Raas is the first Ransomware-as-a-Service site that has been shut down with the help of Trend Micro.
“It’s a fairly new business model, but the fact that it went away so quickly is a reason to be cautiously optimistic that public-private partnerships and LE [law enforcement] actions […] will make it an infeasible business model,” said Rik Ferguson, VP Security Research at Trend Micro. “It doesn’t seem to be a particularly attractive or sustainable model for ransomware. Not if the affiliates are intelligent anyway.”
Recently, Europol published its annual IOCTA (Internet Organised Crime Threat Assessment) report, which shows that RaaS or CaaS (Crime-as-a-Service) business model is being the most popular among cybercriminals. This model provides hackers with the tools and services they need.