The popular torrent uploader “CracksNow” has been caught spreading ransomware. The software and cracks available from CracksNow were repeatedly flagged as malicious, leading some torrent sites to ban the Uploader. While it may not seem surprising that downloading software and media from a torrent site could infect your computer with malware, CracksNow has long been considered a trusted file uploader.
CracksNow has held a trusted status with many torrent sites however it appears that concerns about ransomware through the uploader have been around for some time.
In October 2018 in a Reddit thread titled ‘How trustworthy is “cracksnow” on 1337x?’ reddit user Terraphice comments:
“Cracks now is pretty known for carrying malware. Avoid.”
Reddit user Some0rdinaryIndian said:
“As usual recently I used their patch software on my newly formatted laptop. I had copied some excel, word and pdf files to desktop for some quick work… All those files had got infected with GandCrab 2.0.4 the next day…Luckily the files were still in my HDD… I made sure of this by testing their patch file twice. At first, I didn’t even have the slightest clue that it could be their software. But that’s the truth.”
When browsing discussions and comments on related to CracksNow you will see “Gandcrab” ransomware come up repeatedly. GandCrab was first discovered in January 2018 and is one of the most prolific ransomware viruses worldwide. Once the virus infects the computer, it starts collecting information about the user including PC Name, user name, OS and other data, as well as creating a unique ransom ID for the user. The virus then starts encrypting the files on the computer, and the user can no longer access these files without a decryption key which is obtained by paying the ransom.
The user will also see that a ransom note has been based in every folder that contains their encrypted files. The ransom note includes instructions for how to pay the ransom to receive the decryption key and regain access to their files. Obtaining the key requires that the user download TOR browser and follow a link which leads to the attacker’s website. This website is where the user can purchase a key using cryptocurrency. The ransom or key amount is usually around $1200.
The pirate bay, 1337x and TorrentGalaxy have all banned CracksNow from their platforms.
The 1337x admin said:
“He was banned by myself because I found ransomware in his uploads. I also checked the same uploads from him on a couple other torrent sites and got the same results. I immediately alerted their staff about it so they could investigate and take appropriate action, which they did,”
“I must admit that it is rare for a trusted uploader of this caliber to go rogue. It’s normally new guys that have the infected files. CracksNow was a trusted uploader and had been warned in the past but only for misdemeanors. To the best of our knowledge, the remaining torrents are ransomware free, but his account is due for removal.”