Ransomware is evolving A History of Ransomware: Where It Started & Where It's Going A History of Ransomware: Where It Started & Where It's Going Ransomware dates from the mid-2000s and like many computer security threats, originated from Russia and eastern Europe before evolving to become an increasingly potent threat. But what does the future hold for ransomware? Read More . I hear you cry “Evolving again?” To which I say, “Yes, friends, and you’d better watch out…” Because this time, ransomware is moving from its roots 3 Essential Security Terms You Need to Understand 3 Essential Security Terms You Need to Understand Confused by encryption? Baffled by OAuth, or petrified by Ransomware? Let's brush up on some of the most commonly used security terms, and exactly what they mean. Read More as the tool of criminals and malefactors into a worrying service industry.
Very soon there will be a defined line between ransomware creators, and those who distribute ransomware to the wider public. In some quarters, ransomware-as-a-service is advertised as an educational tool. In others, it is simply a means to an end, as the ransomware merchant collects 20 percent of the ransoms received.
#Ransomware-as-a-Service (RaaS) is now available on the #DarkWeb for 'Educational Purposes' #hacking #cybersecurity #infosec #malware
— TheCyberSecurityHub (@TheCyberSecHub) February 5, 2017
Win-Win
The proliferation of easy-to-access is a win-win situation for malware developers and distributors. It is utterly abhorrent for just about anyone else The Ultimate Ransomware Website You Should Know About The Ultimate Ransomware Website You Should Know About Ransomware is a growing threat, and you should do everything you can to prevent it. Whether you need info or need help after being hit by ransomware, this awesome resource can help. Read More . Malware variants have long been sold, and not only to the highest bidder. Commoditized malware distribution networks shouldn’t be a surprise, and Pay-per-Install services have long played an integral part in the modern malware marketplace.
Miscreants simply determine the raw number of victim systems (including specific geographical distribution, if desired) that fits within their budget, supply a PPI service with payment and malware executables of the miscreants’ choice, and in short order their malware is installed on thousands of new systems. In today’s market, the entire process costs pennies per target host — cheap enough for botmasters to simply rebuild their ranks from scratch in the face of defenders launching extensive, energetic, take-down efforts. — Measuring Pay-per-Install: The Commoditization of Malware Distribution, IMDEA Software Institute
Ransomware is an obvious choice for criminal development. Given the almost unparalleled difficulty of removing a crypto-ransomware infection Beat Scammers With These Ransomware Decryption Tools Beat Scammers With These Ransomware Decryption Tools If you've been infected by ransomware, these free decrypting tools will help you unlock and recover your lost files. Don't wait another minute! Read More along with the immediate, direct, and essentially untraceable payment method of Bitcoin Cybercrime Goes Offline: The Role of Bitcoins In Ransom and Extortion Cybercrime Goes Offline: The Role of Bitcoins In Ransom and Extortion Read More , ransomware-as-a-service (RaaS) has been on the cards for some time.
Satan
Independent malware researcher @Xylit0l discovered the Satan ransomware. This variant used RSA-2048 and AES-256 cryptography, making it essentially — at least with current computing power — unbreakable. Despite the extremely strong encryption, Satan was otherwise unnoteworthy, asking for a ransom between $500 to $1,500, to be paid in Bitcoin. However, research shows that the Satan ransomware distributors didn’t actually make good on a payment, illustrating the danger of dealing with criminals.
New #RaaS https://t.co/wbqn2GOuvo pic.twitter.com/skTTNCDbod
— Xylitol (@Xylit0l) January 18, 2017
Further investigation revealed that Satan was ransomware-as-a-service, offering a free-to-use ransomware kit. A potential user would only have to register an account on the site before gaining access to the ransomware kit. The ransomware developer only asks that the distributor agrees to part with 30 percent of the revenue generated by the kit. Below is the Satan ransomware login page, complete with the 30 percent fee “contract.”
It is a comprehensive service, too, not stopping with just the ransomware. The Satan RaaS site came with detailed instructions on how to create a gateway proxy to assure anonymity, how to make an encrypted dropper, translation services, an account overview page, notes for victim tracking, and a message board.
Is the Satan Ransomware Demonic?
While the threat offered by ransomware varies from strain to strain, it is important to understand how dangerous even a free kit can be.
Cylance completed a comprehensive tear-down of the Satan ransomware. They discovered that “the actual binary is encrypted and contains a lot of anti-debugging and anti-analysis techniques to make dynamic and static analysis difficult. Most likely, malware authors already have a readily available library for these techniques that they include in their malware, since they have been seen in other malwares before.”
The Satan ransomware may well be free, but it is a professionally developed piece of advanced malware being unleashed into the hands of children. I’m not even going to pose the questions of responsibility and morality, because I think we can agree they are both moot.
Satan Came With Friends
Satan isn’t the only RaaS out there. There are at least eight other services, offering different ransomware kits and demanding a cut.
- Tox — One of the first ransomware-as-a-service kits, allowing the creation of an executable that still flies under the radar of major antivirus suites. Retains 20 percent of collected ransoms.
- Fakben — Commands an entry fee of $50. Payees receive access to a wide range of ransomware customization tools. The developers also up-sell their exploit kits This Is How They Hack You: The Murky World of Exploit Kits This Is How They Hack You: The Murky World of Exploit Kits Scammers can use software suites to exploit vulnerabilities and create malware. But what are these exploit kits? Where do they come from? And how can they be stopped? Read More , as well as keeping 10 percent of all ransoms received.
- Encryptor RaaS — Offers potential users a minimal 5 percent retainer. As well as this, each victim is designated an individual Bitcoin address to keep track of payments.
- ORX Locker — Instead of directly receiving the ransom, all payments are processed by a third-party vendor. Furthermore, ORX installs the TOR client to facilitate payment.
- Ransom32 — A step above its “competitors,” offering a Javascript ransomware to its customers Your New Security Threat for 2016: JavaScript Ransomware Your New Security Threat for 2016: JavaScript Ransomware Locky ransomware has been worrying security researchers, but since its brief disappearance and return as a cross-platform JavaScript ransomware threat, things have changed. But what can you do to defeat the Locky ransomware? Read More . Users can also opt to target the users’ system performance during the encryption process. The payload is 22 MB, which is rather large. However, as it is written in JavaScript, Windows, Mac, and Linux users can be targeted Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Read More .
- AlphaLocker — Considered one of the most professional RaaS kits. The developers sell a combined package of unique ransomware, the master decryptor binary, and an admin panel for as little as $65. As well as this, the ransomware receives regular code updates to remain ahead of antivirus suites.
- Janus — A relatively new RaaS kit. It allows for custom builds of the Petya Will The Petya Ransomware Crack Bring Back Your Files? Will The Petya Ransomware Crack Bring Back Your Files? A new ransomware variant, Petya, has been cracked by an irate victim. This is a chance to get one over on the cybercriminals, as we show you how to unlock your ransomed data. Read More and Mischa ransomware. Janus features a unique payment system whereby the developers take payment based upon weekly ransom volumes. Furthermore, the ransomware is bundled. If Petya fails to install, an attempt will be made with Mischa.
- Hidden Tear — Hidden Tear is the only kit originally designed as an educational tool. The source was posted on GitHub to allow interested parties a chance to understand how ransomware works. Unfortunately, it was hijacked, and more than 20 variants now exist.
These options represent a serious problem. The entry bar for advanced ransomware is now extremely low. Furthermore, there is no guarantee that encrypted files will be returned 5 Reasons Why You Shouldn't Pay Ransomware Scammers 5 Reasons Why You Shouldn't Pay Ransomware Scammers Ransomware is scary and you don't want to get hit by it -- but even if you do, there are compelling reasons why you should NOT pay said ransom! Read More once the ransom is paid.
Service Continues As Normal
Cybercrime continues to evolve. The immerging ransomware-as-a-service market illustrates the highly-organized business-orientated approach being applied to malware. Not only has ransomware developed into an easily saleable product (that can be packaged with other cybercrime and/or hacking products), it is easier than ever to gain access to extremely powerful, truly destructive malware.
Moving forward, the potential for disruption to almost everyone is difficult to gauge. What if it creates an ultra-competitive ransomware black market where the top developers seek to outshine their competitors? We may be facing an unprecedented tranche of advanced ransomware. Of course, this is all just hypothetical.
However, the smart (ransom) money says, at the very least, there will be more ransomware coming our way.
Are you worried about ransomware? What about the people distributing it? Do they have a moral responsibility to keep it to themselves? Let us know your thoughts below!
Image Credits: Monkey Business Images/Shutterstock