The Kelihos botnet, also known as Waledac, has become one of the primary sources for distributing ransomware over the last few months. After keeping a low profile following takedown attempts back in 2012, Kelihos infections tripled in size in August. Over the last couple of weeks, the botnet has been actively distributing the latest version of Shade ransomware, also known as Troldesh.
Kelihos Botnet History
The Kelihos botnet is one that is mainly involved in spamming and the theft of bitcoins. Kelihos is also referred to as a spambot due to its spam activity. In September 2011 and March 2012, the botnet was shut down by sink-holing its Command and Control IPs, but after each shutdown, a new variation took the place of the old botnet. The latest version is Kelihos.c.
After several takedown attempts, Kelihos kept a very low profile, with its activity focusing on stock pump and dump schemes or pharmaceutical scams. Following each campaign, the botnet would remain dormant for a couple of weeks before appearing again with a different scam. This occurred for several years until last July when Wildfire ransomware was seen being distributed via Kelihos. After the controllers had made nearly $80,000 in one month of distributing Wildfire, they released the encryption key. However, after the Wildfire campaign ended, Kelihos was spotted distributing other ransomware, as well as banking Trojans based on the Zeus source code.
Starting on July 11th of 2016, an aggressive Kelihos campaign took off, resulting in the botnet’s size growing from around 8,000 infections per day to around 13,000. The size of the infections remained steady for around a month until August 22nd, when 16,000 new infections were registered within three hours. The botnet continued to grow over the next 24 hours, reaching a total of 34,533 infections.
The picture below shows the spike in Kelihos' activity on August 22, 2016.
Kelihos Delivering Ransomware
Over the last couple of weeks, operators of Shade Ransomware have been using the Kelihos botnet to spread its malware through spam messages. For this particular distribution, the cybercriminals have been using emails that contain a malicious download link. The ransomware, which appends a “.no_more_ransomware” extension at the end of an encrypted file, is downloaded via a zipped JavaScript (JS) file or Word document. If executed, the JS file would download and install the Shade ransomware, while the Word document uses Macros to do the same thing. This version of the Shade is the first one to use JS files to distribute its ransomware. In some infections, the ransomware also installs a malware named Pony, a program that can find, extract, and export data such as browser passwords, system details, and browsing history.
Kelihos has also been used to deliver ransomware such as Hades Locker, CryptFile2 (CryptMix), and MarsJoke (JokeFromMars). Along with delivering ransomware, as we mentioned before, the botnet has also spammed banking trojans such as Panda Zeus, Nymain, and Kronos.
With its spike in activity back in August and its recent distribution of Shade and other forms of ransomware, it is expected that Kelihos will stay out of hibernation for the time being. Should cybersecurity experts look into shutting the program down again, it’s likely that the botnet will come out with another, more sophisticated variation.
Deception Technology with WatchPoint’s CryptoStopper
At WatchPoint, we created CryptoStopper which turns the strengths of ransomware into its weakness. Using deception technology, CryptoStopper sets an unavoidable trap for ransomware. By seeding the network with bait files, CryptoStopper gives ransomware exactly what it's looking for, files to encrypt. At $20/Month/Server, CryptoStopper is the best investment you can make to ensure the cybersecurity well-being of your company for the foreseeable future.
