How Shodan helped bring down a ransomware botnet

Shodan is a search engine that looks for internet-connected devices. This summer, it was also used by security researchers and law enforcement to shut down a ransomware botnet

Shodan is a search engine that looks for internet-connected devices. Hackers use it to find unsecured ports and companies use it to make sure that their infrastructure is locked down. This summer, it was also used by security researchers and law enforcement to shut down a ransomware botnet.

The Encryptor RaaS botnet offered ransomware as a service, allowing would-be criminals to get up and going quickly with their ransomware campaigns, without having to write code themselves, according to report released last week.

The ransomware first appeared in the summer of 2015. It didn't make a big impact -- in March, Cylance reported that it had just 1,818 victims, only eight of whom had paid the ransom.

But it had a few things going for it that could have spelled success.

Its big selling point was the price, said Ed Cabrera, chief cybersecurity officer at Trend Micro, which released last week's report.

Other ransomware-as-a-service providers charged about 40 percent in commissions, so Encryptor RaaS was a bargain at just 5 percent.

Plus, it billed itself as "fully undetectable," with a fair degree of success in evading antivirus detection, using valid certificates, and using the Tor network to hide its entire infrastructure.

A year after its release, only two out of 35 antivirus products were able to detect it, according to NoDistribute, a service that checks malware against the top antivirus products.

The low price may have affected customer service, however.

"There was dissatisfaction with the service and the product that was being offered," said Cabrera. "You need to be able to make enough money to keep the lights on."

But the death stroke came from Shodan.

Security researchers found that one of the Encryptor RaaS servers was mistakenly left unprotected, exposed to the Internet, instead of being anonymized and hidden inside the Tor network.

"With Shodan, they were able to identify Encryptor RaaS being hosted, and once that was found, they were able to shut it down," said Cabrera.

Law enforcement authorities stepped in and closed one of the systems in June, then three more servers were seized a few days later.

Encryptor RaaS developers called it quits soon after.

[ MORE ON RANSOMWARE: The history of ransomware ]

"Either they were detected by law enforcement, or they couldn't sustain their business model," he said. "If you have high technical requirements in the malware that you're creating, you need people to do your development and provide the service, you need to keep making money."

In addition, in the criminal marketplace, it's all about the reputation.

"If your customers believe that you have an inferior product or service, you're gong to be named and shamed and you'll have to close doors," he said. "If they believe that you've been compromised by law enforcement as well, it puts a damper on business."

The shutdown wasn't all good news for the rest of us, however.

When its operators shut down Encryptor RaaS, they wiped the master decryption key.

Victims of the ransomware whose files had been encrypted no longer had any way to get those files back -- even if they paid the ransom.

It's yet another example that businesses shouldn't count on being able to just pay a ransom to get their data back, and need to put more effort into preventing the infection in the first place, said Cabrera.

Join the CSO newsletter!

Error: Please check your email address.

More about CylanceTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts