Ransomware is evolving. I hear you cry “Evolving again?” To which I say, “Yes, friends, and you’d better watch out…” Because this time, ransomware is moving from its roots as the tool of criminals and malefactors into a worrying service industry.
Very soon there will be a defined line between ransomware creators, and those who distribute ransomware to the wider public. In some quarters, ransomware-as-a-service is advertised as an educational tool. In others, it is simply a means to an end, as the ransomware merchant collects 20 percent of the ransoms received.
— TheCyberSecurityHub (@TheCyberSecHub) February 5, 2017
The proliferation of easy-to-access is a win-win situation for malware developers and distributors. It is utterly abhorrent for just about anyone else. Malware variants have long been sold, and not only to the highest bidder. Commoditized malware distribution networks shouldn’t be a surprise, and Pay-per-Install services have long played an integral part in the modern malware marketplace.
Miscreants simply determine the raw number of victim systems (including specific geographical distribution, if desired) that fits within their budget, supply a PPI service with payment and malware executables of the miscreants’ choice, and in short order their malware is installed on thousands of new systems. In today’s market, the entire process costs pennies per target host — cheap enough for botmasters to simply rebuild their ranks from scratch in the face of defenders launching extensive, energetic, take-down efforts. — Measuring Pay-per-Install: The Commoditization of Malware Distribution, IMDEA Software Institute
Ransomware is an obvious choice for criminal development. Given the almost unparalleled difficulty of removing a crypto-ransomware infection along with the immediate, direct, and essentially untraceable payment method of Bitcoin, ransomware-as-a-service (RaaS) has been on the cards for some time.
Independent malware researcher @Xylit0l discovered the Satan ransomware. This variant used RSA-2048 and AES-256 cryptography, making it essentially — at least with current computing power — unbreakable. Despite the extremely strong encryption, Satan was otherwise unnoteworthy, asking for a ransom between $500 to $1,500, to be paid in Bitcoin. However, research shows that the Satan ransomware distributors didn’t actually make good on a payment, illustrating the danger of dealing with criminals.
— Xylitol (@Xylit0l) January 18, 2017
Further investigation revealed that Satan was ransomware-as-a-service, offering a free-to-use ransomware kit. A potential user would only have to register an account on the site before gaining access to the ransomware kit. The ransomware developer only asks that the distributor agrees to part with 30 percent of the revenue generated by the kit. Below is the Satan ransomware login page, complete with the 30 percent fee “contract.”
It is a comprehensive service, too, not stopping with just the ransomware. The Satan RaaS site came with detailed instructions on how to create a gateway proxy to assure anonymity, how to make an encrypted dropper, translation services, an account overview page, notes for victim tracking, and a message board.
Is the Satan Ransomware Demonic?
While the threat offered by ransomware varies from strain to strain, it is important to understand how dangerous even a free kit can be.
Cylance completed a comprehensive tear-down of the Satan ransomware. They discovered that “the actual binary is encrypted and contains a lot of anti-debugging and anti-analysis techniques to make dynamic and static analysis difficult. Most likely, malware authors already have a readily available library for these techniques that they include in their malware, since they have been seen in other malwares before.”
The Satan ransomware may well be free, but it is a professionally developed piece of advanced malware being unleashed into the hands of children. I’m not even going to pose the questions of responsibility and morality, because I think we can agree they are both moot.
Satan Came With Friends
Satan isn’t the only RaaS out there. There are at least eight other services, offering different ransomware kits and demanding a cut.
- Tox — One of the first ransomware-as-a-service kits, allowing the creation of an executable that still flies under the radar of major antivirus suites. Retains 20 percent of collected ransoms.
- Fakben — Commands an entry fee of $50. Payees receive access to a wide range of ransomware customization tools. The developers also up-sell their exploit kits, as well as keeping 10 percent of all ransoms received.
- Encryptor RaaS — Offers potential users a minimal 5 percent retainer. As well as this, each victim is designated an individual Bitcoin address to keep track of payments.
- ORX Locker — Instead of directly receiving the ransom, all payments are processed by a third-party vendor. Furthermore, ORX installs the TOR client to facilitate payment.
- AlphaLocker — Considered one of the most professional RaaS kits. The developers sell a combined package of unique ransomware, the master decryptor binary, and an admin panel for as little as $65. As well as this, the ransomware receives regular code updates to remain ahead of antivirus suites.
- Janus — A relatively new RaaS kit. It allows for custom builds of the Petya and Mischa ransomware. Janus features a unique payment system whereby the developers take payment based upon weekly ransom volumes. Furthermore, the ransomware is bundled. If Petya fails to install, an attempt will be made with Mischa.
- Hidden Tear — Hidden Tear is the only kit originally designed as an educational tool. The source was posted on GitHub to allow interested parties a chance to understand how ransomware works. Unfortunately, it was hijacked, and more than 20 variants now exist.
These options represent a serious problem. The entry bar for advanced ransomware is now extremely low. Furthermore, there is no guarantee that encrypted files will be returned once the ransom is paid.
Service Continues As Normal
Cybercrime continues to evolve. The immerging ransomware-as-a-service market illustrates the highly-organized business-orientated approach being applied to malware. Not only has ransomware developed into an easily saleable product (that can be packaged with other cybercrime and/or hacking products), it is easier than ever to gain access to extremely powerful, truly destructive malware.
Moving forward, the potential for disruption to almost everyone is difficult to gauge. What if it creates an ultra-competitive ransomware black market where the top developers seek to outshine their competitors? We may be facing an unprecedented tranche of advanced ransomware. Of course, this is all just hypothetical.
However, the smart (ransom) money says, at the very least, there will be more ransomware coming our way.
Are you worried about ransomware? What about the people distributing it? Do they have a moral responsibility to keep it to themselves? Let us know your thoughts below!
Image Credits: Monkey Business Images/Shutterstock