Image
“Although Trojan-Ransom.Win32.Scraper encrypts all files with AES-256 + RSA-2048, in 70%+ cases they can be decrypted because of the errors made during the implementation of cryptography algorithms,” they observe.Kaspersky Lab does not go into much detail about the encryptor’s flaws, leading some security experts to weigh in on the matter and propose their own explanations. Scraper, which is written in assembler, uses the Tor network to contact its “owners” and the proxy server polipo. To avoid detection, the encryptor often comes packed with the KazyLoader and KazyRootkit protectors along with UPX. Scraper is commonly distributed to victims via the Andromeda botnet. Criminals interested in using Scraper to their advantage can purchase the ransomware’s builder for a few Bitcoins on underground markets, such as the now defunct Evolution, which had replaced Silk Road as the top dark web drug trading site. The builder allows criminals to modify certain aspects of the malware, including what payment forms it accepts and whether they want to block the removal of Windows recovery points. Users who believe they may have been affected by the Scraper ransomware encryptor are encouraged to use Kaspersky Lab’s ScraperDecryptor utility, which will help them decrypt and restore their files.
