Threat Database Ransomware Encryptor RaaS

Encryptor RaaS

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 18
First Seen: July 30, 2015
Last Seen: August 12, 2022
OS(es) Affected: Windows

Encryptor RaaS refers to a family of threats that is part of a Ransomware as a Service (RaaS) operation. Cyber hackers have set up a system that allows third parties to pay for a service that creates ransomware infections to distribute on their botnets or through other means. Ransomware operations require work in collecting payments, delivering decryption keys and distributing profits. The Encryptor RaaS operation offers to take care of all these services, as well as providing the Encryptor RaaS malware itself, and keeps 20% of the profits from these attacks.

The Similarities Between Encryptor RaaS and Its Predecesor, Tox

In recent months, PC security analysts had received reports of another RaaS operation named Tox. Tox was for sale by its owner, meaning that this new Encryptor RaaS may be the result of this. Encryptor RaaS is substantially less sophisticated than Tox. Although effective, Encryptor RaaS is not as well implemented both from the point of view of the threat itself and the service Encryptor RaaS provides to other people. One particular characteristic of Encryptor RaaS is that Encryptor RaaS seems to contain references to DLL files associated with Java. This means that Encryptor RaaS may be the first ransomware infection created using Java.

Characteristics Shared by All Variants of Encryptor RaaS

There may be, effectively, any number of variants of Encryptor RaaS. This is because its nature is such that Encryptor RaaS is designed specifically so that different individuals can create variants of this threat suited specifically to their needs. Once Encryptor RaaS is installed, it encrypts files on the victim's computer based on their files' extension. The extensions targeted by Encryptor RaaS are listed below:

abw, accdb, ai, aif, arc, as, asc, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bbb, bdb, bibtex, bkf, bmp, bpn, btd, bz2, c, cdi, cer, cert, cfm, cgi, cpio, cpp, crt, csr, cue, c++, dds, dem, dmg, doc, docm, docx, dsb, dwg, dxf, eddx, edoc, eml, emlx, eps, epub, fdf, ffu, flv, gam, gcode, gho, gif, gpx, gz, h, hbk, hdd, hds, hpp, h++, ics, idml, iff, img, indd, ipd, iso, isz, iwa, j2k, jp2, jpf, jpeg, jpg, jpm, jpx, jsp, jspa, jspx, jst, key, keynote, kml, kmz, lic, lwp, lzma, m3u, m4a, m4v, max, mbox, md2, mdb, mdbackup, mddata, mdf, mdinfo, mds, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nes, note, nrg, nri, ods, odt, ogg, ova, ovf, oxps, p2i, p65, p7, pages, pct, pdf, pem, phtm, phtml, php, php3, php4, php5, phps, phpx, phpxx, pl, plist, pmd, pmx, png, ppdf, pps, ppsm, ppsx, ppt, pptm, pptx, ps, psd, pspimage, pst, pub, pvm, qcn, qcow, qcow2, qt, ra, rar, raw, rm, rtf, s, sbf, set, skb, slf, sme, smm, spb, sql, srt, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tar, tc, tex, tga, thm, tif, tiff, toast, torrent, tpl, ts, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, wbverify, wav, webm, wmb, wpb, wps, xdw, xlr, xls, xlsx, xz, yuv, zip, zipx

After Encryptor RaaS as encrypted the victim's files, Encryptor RaaS creates a ransom file on the victim's Desktop. The text of the Encryptor RaaS ransom note is both in German and English, and reads as follows:

The files on your computer have been securely encrypted by Encryptor RaaS.
To get access to your files again, follow the instructions at:

Die Dateien auf Ihrem Computer wurden von Encryptor RaaS sicher verschluesselt.
Um den Zugriff auf Ihre Dateien wiederzuerlangen, folgen Sie der Anleitung auf:

This ransomware infection opens a TOR payment site and demands that the victims make the payment using BitCoins. The people using Encryptor RaaS' services only need to deliver their payment via BitCoin and specify the amount of the ransom in order to create a functional Ransomware attack. One aspect of Encryptor RaaS that is fortunate is that this attack does not delete shadow copies of infected files, meaning that it may be possible to recover converted files using Shadow Explorer or other specialized tools.


Most Viewed