{
	"id": "aa33ceab-1e78-4e4f-b4ec-9a3efcb54528",
	"created_at": "2026-04-06T00:08:32.655742Z",
	"updated_at": "2026-04-10T03:24:29.590338Z",
	"deleted_at": null,
	"sha1_hash": "bc03564708379ae919f114945ea55191728da520",
	"title": "Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2447008,
	"plain_text": "Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware\r\nSecurity Program\r\nBy Lawrence Abrams\r\nPublished: 2018-09-14 · Archived: 2026-04-05 13:30:17 UTC\r\nThe Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken\r\nCryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order\r\nto trick users into installing it. \r\nWhat makes it worse, though, is that somehow the attackers were able to gain access to the superantispyware.com site and\r\ndistribute the ransomware from there.\r\nKraken Cryptor Ransomware 1.5 masquerading as SuperAntiSpyware\r\nMalwareHunterTeam, who has been tracking Kraken Cryptor since it has been released, discovered the new variant this\r\nmorning. When looking at its entry on VirusTotal, he noticed that VirusTotal was reporting that the Kraken Cryptor installer\r\nhad been distributed directly from superantispyware.com. \r\nhttps://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/\r\nPage 1 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nDownload urls reported by VirusTotal\r\nThe file name for the legitimate SuperAntiSpyware Free installer is called SUPERAntiSpyware.exe. The Kraken Cryptor\r\ninstaller spotted by VirusTotal was called SUPERAntiSpywares.exe. The only difference between the two names is the\r\naddition of a s to the malicious executable. This malicious executable is no longer available from superantispyware.com. \r\nYou can further see how Kraken Cryptor is trying to masquerade as SuperAntiSpyware by utilizing the same icon as shown\r\nbelow.\r\nKraken Cryptor executable using the same icon as SuperAntiSpyware\r\nIt is important to note that the SUPERAntiSpyware.exe executable was not compromised and continued to install the\r\nlegitimate version of SuperAntiSpyware. So users who installed SuperAntiSpyware via the normal links were not affected.\r\nAt this point, we do not know how users were being directed to the malicious SUPERAntiSpywares.exe executable.\r\nBleeping Computer has made numerous attempts to contact SuperAntiSpyware via email, phone, and Twitter for comment,\r\nbut have not received a response at the time of publication.\r\nDisclosure: BleepingComputer.com is an affiliate for SuperAntiSpyware.com and other anti-malware products.\r\nHow the Kraken Cryptor Ransomware encrypts a computer\r\nThe Kraken Cryptor Ransomware provides good insight into how it encrypts a computer due to an embedded configuration\r\nfile that is easily exported. This configuration file contains a list of modules and if they are enabled, processes to stop, the\r\npublic encryption key, emails, ransom prices, extensions to encrypt, files and folders to to be skipped, countries and\r\nlanguages that won't be encrypted, and more.\r\nYou can see a portion of this configuration file below.\r\nhttps://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/\r\nPage 3 of 8\n\nPortion of Kraken Cryptor 1.5 configuration file\r\nWhen executed, the ransomware will perform a series of steps that are listed below, but may not be in the exact order in\r\nwhich they are executed.\r\nThe ransomware will create a file called C:\\ProgramData\\Safe.exe and execute it.  This program will then enumerate a list of\r\nall the Event Viewer logs and redirect the output to the C:\\ProgramData\\EventLog.txt file.\r\nC:\\Windows\\system32\\cmd.exe /c wevtutil.exe enum-logs \u003e \"C:\\ProgramData\\EventLog.txt\"\r\nThe program will then remove all the logs listed in the Eventlog.txt.\r\nKraken Cryptor will also check the language and location of the victim, and if in the following countries, will not encrypt\r\nthe computer.\r\nArmenia, Azerbaijan, Belarus, Estonia, Georgia, Iran, Kyrgyzstan, Kazakhstan, Lithuania, Latvia, Moldova, Russia, Tajikis\r\nIn order to prevent processes keeping databases open and unable to be encrypted, the ransomware will terminate the\r\nprocesses listed below.\r\nagntsvcagntsvc, agntsvcencsvc, agntsvcisqlplussvc, dbeng50, dbsnmp, firefoxconfig, msftesql, mydesktopqos, mydesktopservi\r\nWhen encrypting a computer, it will scan the computer for files with the following extensions.\r\n1cd. 3dm. 3ds. 3fr. 3g2. 3gp. 3pr. 7z. 7zip. aac. ab4. abd. accdb. accde. accdr. accdt. ach. acr. act. adb. adp. ads. agd\r\nIf it encounters a matching file, it will encrypt the file and rename it in the format 00000000-Lock.onion, where the numbers\r\nwill increment for each encrypted file.  The original file name will be encrypted and stored in the encrypted file.\r\nhttps://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/\r\nPage 4 of 8\n\nA folder of files encrypted by Kraken Cryptor and with the -Lock.onion extension appended\r\nWhen encrypting the computer, Kraken Cryptor will create a ransom notes named # How to Decrypt Files.html in every\r\nfolder. This ransom note contains a unique victim key and instructions on how to make a 0.125 bitcoin ransom payment. The\r\ncontact information provided in the ransom note is shortmangnet@420blaze.it and BM-2cUEkUQXNffBg89VwtZi4twYiMomAFzy6o@bitmessage.ch.\r\nPortion of Ransom Note\r\nThe ransomware will also download SDelete from the Sysinternals site and execute a batch file called release.bat. This batch\r\nfile will cause SDelete to clear and overwrite all free space on the drive with zeros to make it harder to recover files. It will\r\nalso cause the computer to shutdown, disable Windows startup recovery, delete Windows backups, and delete shadow\r\nvolume copies.\r\nhttps://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/\r\nPage 5 of 8\n\nRelease.bat batch file\r\nThis is all done to make it harder for victims to recover their files.\r\nIt is not possible to decrypt the Kraken Cryptor Ransomware\r\nUnfortunately, at this time there is no way to decrypt files encrypted by the Kraken Cryptor Ransomware variant for free.\r\nThe only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies.\r\nThough Kraken Cryptor does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so\r\nfor whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore\r\nencrypted files from Shadow Volume Copies as well.\r\nFor those who wish to discuss this ransomware or need support, you can use our dedicated Kraken\r\nCryptor Ransomware Help \u0026 Support Topic.\r\nHow to protect yourself from the Kraken Cryptor Ransomware\r\nIn order to protect yourself from Kraken Cryptor, or from any ransomware, it is important that you use good computing\r\nhabits and security software. First and foremost, you should always have a reliable and tested backup of your data that can\r\nbe restored in the case of an emergency, such as a ransomware attack.\r\nAs ransomware is also known to be installed via hacked Remote Desktop services, it is very important to make sure its\r\nlocked down correctly. This includes making sure that no computers running remote desktop services are connected directly\r\nto the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who\r\nhave VPN accounts on your network.\r\nIt is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over\r\nRemote Desktop Services.\r\nYou should also have security software that incorporates behavioral detections to combat ransomware and not just signature\r\ndetections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral\r\ndetection that can prevent many, if not most, ransomware infections from encrypting a computer.\r\nLast, but not least, make sure you practice the following good online security habits, which in many cases are the most\r\nimportant steps of all:\r\nBackup, Backup, Backup!\r\nhttps://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/\r\nPage 6 of 8\n\nDo not open attachments if you do not know who sent them.\r\nDo not open attachments until you confirm that the person actually sent you them,\r\nScan attachments with tools like VirusTotal.\r\nMake sure all Windows updates are installed as soon as they come out! Also make sure you update all programs,\r\nespecially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly\r\nexploited by malware distributors. Therefore it is important to keep them updated.\r\nMake sure you use have some sort of security software installed.\r\nUse hard passwords and never reuse the same password at multiple sites.\r\nIf you are using Remote Desktop Services, do not connect it directly to the Internet. Instead make it accessibly only\r\nvia a VPN.\r\nFor a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against\r\nRansomware article.\r\n9/14/18: Updated story to call it Kraken Cryptor rather than just Kraken.\r\n9/14/18: We received the following statement from SuperAntiSpyware:\r\n\"A malicious file was uploaded to the SUPERAntiSpyware download server as a result of an attempted attack on the server,\"\r\nSuperAntiSpyware told BleepingComputer. \"The malicious file was discovered and removed from the server within several\r\nhours of the attempt. The server has since been thoroughly scanned and the vulnerability has been corrected.\"\r\n \r\nIOCs\r\nHash:\r\nSHA256: 9c88c66f44eba049dcf45204315aaf8ba1e660822f9e97aec51b1c305f5fdf14\r\nAssociated Files:\r\nC:\\ProgramData\\Safe.exe\r\nC:\\ProgramData\\EventLog.txt\r\n# How to Decrypt Files.html\r\nKrain 1.5 Associated Emails:\r\nshortmangnet@420blaze.it\r\nBM-2cUEkUQXNffBg89VwtZi4twYiMomAFzy6o@bitmessage.ch\r\nhttps://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/\r\nPage 7 of 8\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/\r\nhttps://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/"
	],
	"report_names": [
		"kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434112,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc03564708379ae919f114945ea55191728da520.pdf",
		"text": "https://archive.orkl.eu/bc03564708379ae919f114945ea55191728da520.txt",
		"img": "https://archive.orkl.eu/bc03564708379ae919f114945ea55191728da520.jpg"
	}
}