Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Kraken Cryptor v1.5 Ransomware (<Number>-Lock.onion)

  • Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
  • MD5 : e2251a00f5d025ee89228720dc5c2f65
  • Major Detection Name : Ransom:MSIL/Kraken.A (Microsoft), Ransom_KRAKEN.THIADAH (Trend Micro)
  • Encrypted File Pattern : <Number>-Lock.onion
  • Malicious File Creation Location :
     - C:\ProgramData\EventLog.txt
     - C:\ProgramData\release.bat
     - C:\ProgramData\Safe.exe
     - C:\ProgramData\sdelete.exe
  • Payment Instruction File : # How to Decrypt Files.html
  • Major Characteristics :
     - Offline Encryption
     - Checks OS language (Russian, Ukrainian etc.) and Geo-IP location to determine the execution.
     - Block processes execution (agntsvcagntsvc, msftesql, mydesktopqos, mysqld, mysqld-nt, sqlagent etc.)
     - Deletes event log (wevtutil.exe clear-log "Analytic", wevtutil.exe clear-log "Application", wevtutil.exe clear-log "DebugChannel", wevtutil.exe clear-log "DirectShowFilterGraph", wevtutil.exe clear-log "DirectShowPluginControl" etc.)
     - Disable system restore (bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy ignoreallfailures, wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0, wmic SHADOWCOPY DELETE, vssadmin delete shadows /All)
     - Utilizes SDelete from SysInternals to purge empty disc drive space, disabling possible recovery by file recovery tool.
     - After secure erase, displays fake error message, then shuts down windows after 5 minutes (shutdown /S /F /T 300 /C "Unexpected shutdown due to maintenance break.")