Bitter Ransomware Operator Shuts Down Service and Deletes Decryption Master Key

Share this…

Misconfigured server led to Encryptor RaaS’ downfall. After law enforcement seized servers belonging to Encryptor RaaS, a Ransomware-as-a-Service cyber-crime portal, the site’s operators decided to close it down for good over the summer and deleted the master decryption key that would have allowed victims to recover their files.

This action from the Encryptor RaaS owner has left countless of victims in the unpleasant position of not being able to decrypt their files, even if they were willing to pay.

Trend Micro and law enforcement shut down Encryptor RaaS

According to an investigation from security firm Trend Micro, the Encryptor RaaS service, which launched in July 2015, started to unravel exactly one year later, in July 2016.

The security vendor says the admin was careless and left one of the servers that stored information about the RaaS service unprotected online, without being hidden using the Tor service.

Trend Micro says that the server, named “Encryptor RaaS Decryptor,” was easy to discover via Shodan, and anyone knowing what to look for would have found it very easily.

The security vendor didn’t waste time and tipped off US and European law enforcement agencies, which contacted the cloud provider where the server was hosted and had it seized.

Bitter Encryptor RaaS admin deletes master key

At that point, the Encryptor RaaS admin immediately shut down the service. After two failed attempts in the next four days to revive his portal, and after law enforcement seized three more of his production servers, he finally decided to give it up.

Annoyed by the fact that law enforcement had effectively shut down his money-making operation, the crook announced he wouldn’t be releasing anything to help victims, neither the ransomware’s source code, nor the master key, which can unlock any of the infected victims’ data.

Encryptor RaaS shutdown announcements

Encryptor RaaS shutdown announcements

As a comparison, when the TeslaCrypt ransomware decided to shut down (for unknown reasons), its operators released the master decryption key, so that victims who didn’t pay could recover their files.

Encryptor RaaS was a very popular service

For the time it was online, Encryptor RaaS was one of the most popular RaaS services, mainly because its creator took only a 5 percent cut, compared to other services that asked between 20 and 40 percent.

Additionally, the service received regular updates, and its creator had heavily invested in anti-AV detection measures, such as the purchase and usage of stolen digital certificates.

Encryptor was also popular because outside the Windows variant of his ransomware, the service also provided a Linux version for locking web servers.

Is RaaS a successful criminal business model?

Encryptor’s takedown also marks the first time Trend Micro has shut down a RaaS service.

“It’s a fairly new business model, but the fact that it went away so quickly is reason to be cautiously optimistic that public private partnerships and LE [law enforcement] actions […] will make it an infeasible business model,” said Rik Ferguson, VP Security Research at Trend Micro.

“It doesn’t seem to be a particularly attractive or sustainable model for ransomware,” he also adds about RaaS services. “Not if the affiliates are intelligent anyway.”

Encryptor RaaS server available via Shodan

Encryptor RaaS server available via Shodan