Encryptor RaaS
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 80 % (High) |
| Infected Computers: | 18 |
| First Seen: | July 30, 2015 |
| Last Seen: | August 12, 2022 |
| OS(es) Affected: | Windows |
Encryptor RaaS refers to a family of threats that is part of a Ransomware as a Service (RaaS) operation. Cyber hackers have set up a system that allows third parties to pay for a service that creates ransomware infections to distribute on their botnets or through other means. Ransomware operations require work in collecting payments, delivering decryption keys and distributing profits. The Encryptor RaaS operation offers to take care of all these services, as well as providing the Encryptor RaaS malware itself, and keeps 20% of the profits from these attacks.
The Similarities Between Encryptor RaaS and Its Predecesor, Tox
In recent months, PC security analysts had received reports of another RaaS operation named Tox. Tox was for sale by its owner, meaning that this new Encryptor RaaS may be the result of this. Encryptor RaaS is substantially less sophisticated than Tox. Although effective, Encryptor RaaS is not as well implemented both from the point of view of the threat itself and the service Encryptor RaaS provides to other people. One particular characteristic of Encryptor RaaS is that Encryptor RaaS seems to contain references to DLL files associated with Java. This means that Encryptor RaaS may be the first ransomware infection created using Java.
Characteristics Shared by All Variants of Encryptor RaaS
There may be, effectively, any number of variants of Encryptor RaaS. This is because its nature is such that Encryptor RaaS is designed specifically so that different individuals can create variants of this threat suited specifically to their needs. Once Encryptor RaaS is installed, it encrypts files on the victim's computer based on their files' extension. The extensions targeted by Encryptor RaaS are listed below:
abw, accdb, ai, aif, arc, as, asc, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bbb, bdb, bibtex, bkf, bmp, bpn, btd, bz2, c, cdi, cer, cert, cfm, cgi, cpio, cpp, crt, csr, cue, c++, dds, dem, dmg, doc, docm, docx, dsb, dwg, dxf, eddx, edoc, eml, emlx, eps, epub, fdf, ffu, flv, gam, gcode, gho, gif, gpx, gz, h, hbk, hdd, hds, hpp, h++, ics, idml, iff, img, indd, ipd, iso, isz, iwa, j2k, jp2, jpf, jpeg, jpg, jpm, jpx, jsp, jspa, jspx, jst, key, keynote, kml, kmz, lic, lwp, lzma, m3u, m4a, m4v, max, mbox, md2, mdb, mdbackup, mddata, mdf, mdinfo, mds, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nes, note, nrg, nri, ods, odt, ogg, ova, ovf, oxps, p2i, p65, p7, pages, pct, pdf, pem, phtm, phtml, php, php3, php4, php5, phps, phpx, phpxx, pl, plist, pmd, pmx, png, ppdf, pps, ppsm, ppsx, ppt, pptm, pptx, ps, psd, pspimage, pst, pub, pvm, qcn, qcow, qcow2, qt, ra, rar, raw, rm, rtf, s, sbf, set, skb, slf, sme, smm, spb, sql, srt, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tar, tc, tex, tga, thm, tif, tiff, toast, torrent, tpl, ts, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, wbverify, wav, webm, wmb, wpb, wps, xdw, xlr, xls, xlsx, xz, yuv, zip, zipx
After Encryptor RaaS as encrypted the victim's files, Encryptor RaaS creates a ransom file on the victim's Desktop. The text of the Encryptor RaaS ransom note is both in German and English, and reads as follows:
ATTENTION!
The files on your computer have been securely encrypted by Encryptor RaaS.
To get access to your files again, follow the instructions at:
https://decryptoraveidf7.onion.to/vict?cust=&guid=
ACHTUNG!
Die Dateien auf Ihrem Computer wurden von Encryptor RaaS sicher verschluesselt.
Um den Zugriff auf Ihre Dateien wiederzuerlangen, folgen Sie der Anleitung auf:
https://decryptoraveidf7.onion.to/vict?cust=&guid=
This ransomware infection opens a TOR payment site and demands that the victims make the payment using BitCoins. The people using Encryptor RaaS' services only need to deliver their payment via BitCoin and specify the amount of the ransom in order to create a functional Ransomware attack. One aspect of Encryptor RaaS that is fortunate is that this attack does not delete shadow copies of infected files, meaning that it may be possible to recover converted files using Shadow Explorer or other specialized tools.
