Researchers Infiltrate C&C Server Behind CryptoBlock Ransomware

A command and control (C&C) server used for operating the CryptoBlock ransomware family has also been hosting stolen user credentials and other malware families, researchers say.

According to researchers from Malwarebytes Labs, who managed to gain access to the malicious server, the ransomware appears to still be under development at the moment, but is believed to have the potential of becoming a major threat. The malicious operation could even evolve into a RaaS (Ransomware as a Service), the researchers believe. 

A note on the domain informs wannabe-criminals that the RaaS will be live soon, but it appears that some users have already been infected with this malware (although the distribution mechanism isn’t clear as of now). The ransomware, however, is completely obfuscated with ConfuserEX, which is difficult to unravel, researchers say.

The security experts decided to have a look at the ransomware’s server, which they acquired during previous research, and which revealed, among other .php pages, a config.php file that included the actor’s login credentials for the server. Specifically, the file revealed “the complete master credentials (username and password) to the entire CryptoBlock server, valid for every email, database, SSH, cPanel, and more,” Nathan Scott, Malwarebytes Labs Lead Malware Intelligence Analyst, notes.

Courtesy of these, the researchers gained complete access to a threat actor’s overseas server, which allowed them to copy all of the data there, including databases, PHP files, and the personal information used to rent the server. However, because the hosting company only required an email address to host the server, and because the email was fake, the researchers couldn’t learn more on the actor.

Server logs, however, revealed that the ransomware might have already infected quite a few people, and that there were “a few IP addresses from Europe that have been visiting this server by the thousands since it was brought up.” These, the researchers say, might be the real IPs used by the threat actor owning the server while testing the malware (the most accessed part of the server was a PHP page that is used by the debug build of the ransomware server).

The server was also found to host a full database of stolen credentials from “Pay for Porn” sites, and the database of ransomware users (with IDs, BTC addresses, payments, and keys). Moreover, it revealed that the threat actor applied for a Blockchain API account, and was denied, and that other malware was being distributed from it as well.

“The threat actor is also distributing an exploitable Ammyy Admin executable from the server. It seems they either may be scamming people into letting them onto the machine remotely, or they are simply running it silently as a malicious drive-by. The file on the server is called test.exe,” Scott explains.

Related: Attackers Leave Server Credentials in Ransomware’s Code

Related: Ransomware Module Found in Shamoon 2.0

Related: New Unlock26 Ransomware and RaaS Portal Discovered

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire: