How Shodan helped bring down a ransomware botnet

Shodan is a search engine that looks for internet-connected devices. Hackers use it to find unsecured ports and companies use it to make sure that their infrastructure is locked down. This summer, it was also used by security researchers and law enforcement to shut down a ransomware botnet.

The Encryptor RaaS botnet offered ransomware as a service, allowing would-be criminals to get up and going quickly with their ransomware campaigns, without having to write code themselves, according to report released last week.

The ransomware first appeared in the summer of 2015. It didn’t make a big impact — in March, Cylance reported that it had just 1,818 victims, only eight of whom had paid the ransom.

But it had a few things going for it that could have spelled success.

Its big selling point was the price, said Ed Cabrera, chief cybersecurity officer at Trend Micro, which released last week’s report.

Other ransomware-as-a-service providers charged about 40 percent in commissions, so Encryptor RaaS was a bargain at just 5 percent.

Plus, it billed itself as “fully undetectable,” with a fair degree of success in evading antivirus detection, using valid certificates, and using the Tor network to hide its entire infrastructure.

A year after its release, only two out of 35 antivirus products were able to detect it, according to NoDistribute, a service that checks malware against the top antivirus products.

The low price may have affected customer service, however.

“There was dissatisfaction with the service and the product that was being offered,” said Cabrera. “You need to be able to make enough money to keep the lights on.”

But the death stroke came from Shodan.

Security researchers found that one of the Encryptor RaaS servers was mistakenly left unprotected, exposed to the Internet, instead of being anonymized and hidden inside the Tor network.

“With Shodan, they were able to identify Encryptor RaaS being hosted, and once that was found, they were able to shut it down,” said Cabrera.

Law enforcement authorities stepped in and closed one of the systems in June, then three more servers were seized a few days later.

Encryptor RaaS developers called it quits soon after.

[ MORE ON RANSOMWARE: The history of ransomware ]

“Either they were detected by law enforcement, or they couldn’t sustain their business model,” he said. “If you have high technical requirements in the malware that you’re creating, you need people to do your development and provide the service, you need to keep making money.”

In addition, in the criminal marketplace, it’s all about the reputation.

“If your customers believe that you have an inferior product or service, you’re gong to be named and shamed and you’ll have to close doors,” he said. “If they believe that you’ve been compromised by law enforcement as well, it puts a damper on business.”

The shutdown wasn’t all good news for the rest of us, however.

When its operators shut down Encryptor RaaS, they wiped the master decryption key.

Victims of the ransomware whose files had been encrypted no longer had any way to get those files back — even if they paid the ransom.

It’s yet another example that businesses shouldn’t count on being able to just pay a ransom to get their data back, and need to put more effort into preventing the infection in the first place, said Cabrera.