Researchers have unearthed a new cryptocurrency ransomware scheme that implicates a group of Russian-speaking hackers into stealing large sums of Bitcoin (BTC) from unsuspecting victims – and laundering the stolen funds on an obscure cryptocurrency gambling site, reported TheNextWeb.
The cunning scheme, named Kraken Cryptor, was discovered by security experts from Inskit Group and McAfee.
First spotted in August 2018, the malicious service got the attention of experts after it disguised as legitimate antivirus software and distributed from the compromised website of SuperAntiSpyware. Kraken Cryptor has also previously been linked to the notorious Fallout exploit kit.
The researchers note that Kraken Cryptor relied on an affiliate program which incentivizes participants to spread the virus by offering them a cut from the Bitcoin ransom payments.
This technique, commonly known as ransomware-as-a-service (RaaS), is especially popular among dark web users. The research notes that Kraken Cryptor affiliate program exclusively uses Bitcoin as ransom currency. The ransom amounts tend to range from around $500 (0.075BTC) to $8,000 (1.25BTC).
According to TheNextWeb, the researchers have been able to link back the stolen cryptocurrency to little-known Bitcoin casino, BitcoinPenguin. The experts speculate the hackers have opted for BitcoinPenguin due to its non-existent identity verification procedures, which make it a perfect money-laundering tool.
Kraken Cryptor requires all potential affiliate partners to pay $50 per payload and offers no refunds; its program also reserves all rights to reject any member or candidate without any explanation – at any point. In return, affiliates are promised 80% of the paid ransom.
While the hackers conducted most of their business on Russian dark web forums, the researchers’ analysis of their nationality is inconclusive at best. The study notes that the hackers spoke Russian and English, but often made mistakes in both; this suggests the attackers were neither English or Russian native speakers.
It should be noted that the hackers forbid affiliate partners from targeting a bunch of countries from the former Soviet bloc; the list includes: Armenia, Azerbaijan, Belarus, Estonia, Georgia, Kyrgyzstan, Kazakhstan, Lithuania, Latvia, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.