Kraken Ransomware Disguises Itself As Legitimate Anti-Spyware Software

Everything isn’t always what we seem.  This is something we have come to know and accept.  However, when we download a program that is supposed to protect us, that is what we expect it to do.  Apple users were recently duped with Adware Doctor, which positioned itself as an adware prevention tool, but actually was spying on user behavior.  Now, hackers have used the name and logo of the SuperAntiSpyware, an anti-malware tool, to trick users into downloading the ransomware deemed Kraken.

Kraken Uses Security Program Name and Logo to Spread to Unknowing Victims

To be clear, SuperAntiSpyware is a legitimate anti-malware tool.  However, Kraken stole the company’s logo and name to target users.  The only difference between the Kacken and the legitimate program executable files are one letter in the file name.  SuperAntiSpyware uses SUPERAntiSpyware.exe, while Kraken uses SUPERAntiSpywares.exe.  Now, for those users who downloaded the legitimate program, you would not be impacted by this.  However, those who downloaded the malicious file would experience encryption of various files.

Once a user opts to download SUPERAntiSpywares.exe, the malicious executable begins to run.  The only time this will be blocked from running would be if the user was employing a security solution that was using an application whitelist.  Or, if blacklist antivirus companies are updating the blacklist to include SUPERAntiSpywares.exe.

If the file is allowed to run, it will first ensure the location of the device is not in a certain geographical area.  For instance, if the device is in Iran or Brazil, the ransomware will not execute.  Assuming you are in a location they have deemed acceptable to encrypt, the malware will scan the device for files with a variety of file extensions, including .jpeg, .doc, .zip, etc.  Once these files are recognized, they are renamed with the file name 00000000-Lock.onion and encrypted.

At this time, there is no free option for decrypting files that have been locked by the Kraken ransomware.  The only way users can restore locked files would be through their backup files.

5,927 total views, 3 views today

(Visited 4,123 times, 1 visits today)

10 thoughts on “Kraken Ransomware Disguises Itself As Legitimate Anti-Spyware Software

  1. This is old news. I downloaded SUPERAntiSpyware four years ago — and it was immediately quarantined by all four of my computer’s security software suites: AVG, IObit Malware Fighter, Webroot and even the built-in Windows Defender.

    SUPERAntiSpyware has been flagged and quarantined as malware for at least four years (if not longer). I find it incredible that people are still downloading it. :

  2. I downloaded the SUPERAntiSpyware program a few weeks back, before knowing about the fake. I tried it a couple of days and didn’t think I would be interested and uninstalled it, so I think. Recently I have noticed a couple of odd files that show up when I run windows 10 device trouble shooter – they are SASKUTIL and SASDIFSV keep showing up saying “no driver found” for either file. I don’t have the program superantispyware program anymore but what I read from looking these files up are they are part of this program or they are a normal part of windows? I don’t know if they are from the legit program or the fake, but I don’t know why the trouble shooter is identifying them? How would I get rid of these files or do I need to worry about them? My computer runs aful slow and freezes up alot that is why I tried the SuperAntiSpywhere program in the first place. I have ran SFC, spybot, windows defender and malware on the computer and it finds nothing….
    Any advice? Thanks

    • Since you no longer have the program on your computer, it would be difficult to determine if you downloaded the malicious version. If, you happened to download the malicious version, the ransomware would have executed within a short amount of time — entirely locking your computer and/or files and demanding a payment. Why don’t you go to http://www.pcmatic.com/consumer and run the free download of PC Matic. It will do a complete scan of your computer and let you know if it finds anything. If it does, you would have to pay the license fee ($50), to fix. But this would at least allow you to see if our software would find anything.

      Please let us know if we can be of any further assistance.

    • PC Matic’s whitelist based protection would block this ransomware as an unknown even if it uses a legitimate programs name and logo. Our customers are protected!

    • PC Matic’s protection, Super Shield, uses a whitelist based approach. This means that anything that is not known good to us is blocked before it can run. In this case, even though the name and image are from a legitimate program, the software itself is different and unknown and would be blocked before it can be executed and installed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.