Ransomware Affiliate Systems Are on the Rise

by Guest Author on August 24, 2017

in Guest Posts, Security

Crypto ransomware keeps taking the world by storm. It props a multimillion-dollar underground economy providing cyber-extortionists with abundant resources to fine-tune their modus operandi.

Amidst the whole noise surrounding this despicable business model since 2013, the Ransomware-as-a-Service (RaaS) principle is the new black. It renders online extortion increasingly toxic by making ransomware programs readily available to unskilled wannabe cybercriminals.

Essentially, RaaS is a counterpart of the garden-variety affiliate networks, except it’s malicious to the bone. On one side, there are unscrupulous programmers who write customizable ransomware code and set up an intuitive dashboard to tweak the threat’s properties and monitor infection statistics. On the other side are interested parties with evil intentions and instruments on their hands to distribute the turnkey perpetrating code. The developers get a cut, usually 20%, from the subsequent ill-gotten revenue. The list below provides a rundown on the largest ransomware affiliate platforms to date.

Tox

Tox was one the earliest Ransomware-as-a-Service systems that brought e-extortion to the masses. First spotted in May 2015, this cradle of digital baddies made it amazingly easy for would-be crooks to launch a blackmail campaign of their own. All it took to get started was sign up via a dedicated Tor page for free, enter the desired ransom amount, the text of the warning message, and a captcha. The service would then generate a custom 2 MB payload camouflaged as a .scr file. The dev took 20% of all ransoms.

FAKBEN

This RaaS sustained the distribution of CryptoLocker, the prototype of all crypto ransomware as we know it. Unlike Tox, the FAKBEN crew demanded an opening fee of $50 and took 10% of Bitcoins submitted by victims. The proprietors of this network also upsold extra services, including propagation assistance via exploit kits.

Encryptor RaaS

Another ransomware kit called Encryptor RaaS was promoted on a dark web page anonymized through The Onion Router (Tor) technology. It provided three configurable properties for one’s custom ransomware build: the initial price of the ransom, amount after a timeout, and payment deadline in hours. The developer took 20% of the revenue.

ORX-Locker

To get started on an extortion campaign with ORX-Locker, affiliates had to enter a 5-digit build ID and set the ransom size of $75 or higher. When on board a computer, the ransomware downloaded Tor client behind the victim’s back in order to interact with its C2 server. This platform stood out from the rest as it engaged a third-party entity for payment processing.

Ransom32

The uniqueness of Ransom32 RaaS is that the ransomware kit is coded in JavaScript, which was an unprecedented approach in the extortion ecosystem as of early 2016. Therefore, it could potentially run on Windows, Mac OS X and Linux alike. The infection could be optionally configured to leave a small footprint on a target host during encryption. Ransom32 used AES-128 cipher to lock one’s data. A considerable shortcoming, though, was that the WinRAR installer took up 22 MB. The developers took 25% of all extorted money.

AlphaLocker

AlphaLocker is one of the most professionally tailored ransomware affiliate systems across the board. Rather than host third-party campaigns, it provides full access to a kit that includes the ransomware build proper, administrative console, and master decryption binary for only $65. The “clients” are free to use the package at their own discretion and can even resell it.

Janus

The makers of the infamous Petya and Mischa ransomware combo set up the Janus Ransomware-as-a-Service platform in mid-May 2016. Interestingly, their share depends on the weekly amount of ransoms extorted by an affiliate. For volumes under 5 Bitcoin (about $17,000) per week, the cut is 25%. It doubles if the earnings are between 5 and 25 BTC. If a would-be victim unknowingly grants administrative privileges to the infection, it drops the MFT-encrypting Petya virus, otherwise, the payload executes the regular file-encoding Mischa Trojan.

Cerber RaaS

Researchers believe the Cerber ransomware is currently dominating the online extortion environment mostly due to the successful implementation of its RaaS network. It has spawned at least 160 independent campaigns since July 2016, earning about $200,000 in gross revenue per month. The developers’ share is 40%.

Philadelphia RaaS

This one is available on the dark web for a one-time fee of $400. It boasts extensive customizability of the ransomware build, where affiliates can define the list of targeted file extensions, add languages, edit ransom notes, and decide whether data on network drives and removable media should be encrypted along with information stored on local drives. The administrative dashboard also contains a mercy button allowing crooks to restore a specific victim’s files without payment.

Ranion

The Ranion RaaS is off the beaten track because it claims to provide ransomware for “educational purposes only,” which is certainly a lie as the infection is actually used to deploy real-world extortion campaigns. Ranion features a flexible pricing model, where the fee amounts to 0.6 BTC ($2,000) for six months, and 0.95 BTC ($3,200) per year.

FileFrozr

A competitive advantage of the FileFrozr RaaS is that the promoted ransomware goes equipped with the Windows tool called Cipher.exe. This way, the perpetrating program wipes free disk space so that forensic software is unable to restore erased shadow copies of a victim’s files. The payload is a JavaScript file masqueraded as a PDF document.

MacRansom

As the name suggests, MacRansom allows ne’er-do-wells to run campaigns targeting Macs. The “leaseholders” do not charge affiliates for obtaining their copy of the ransomware. The promoted infection is intelligent enough to terminate itself if it detects code debugging attempts. Interestingly, it remains inactive until a predefined trigger time. Although this platform appears to be somewhat crude at this point, it has already gained notoriety as the first-ever RaaS tailored to compromise the Mac environment.

Shifr

The latest RaaS called Shifr has significantly lowered the bar for entering the extortion business. Registration for new affiliates is a no-brainer, and so is the process of creating new ransomware. Crooks can get their custom build by entering their Bitcoin address, defining the ransom amount (0.01-1 BTC), and typing a verification code. The RaaS owners only take a 10% cut of future ransoms. Some analysts speculate that such a low share may have a flip side for affiliates, serving as a catch to entice gullible ones and then never pay them their cut.

Ransomware-as-a-Service is shaping up to be the mainstay of extortion-related cybercrime. It has introduced a framework where a malefactor’s technical background is no longer part of the equation: programmers do their separate job, and so do ransomware distributors. Consequently, pretty much anyone with minimum resources and some time on their hands can join this disgusting business and fire up a new campaign in several clicks.

As the ransomware epidemic is reaching new statistical heights due to the growth of RaaS, prevention is more relevant than ever. Fortunately, there’s no need to reinvent the wheel in this context – just prioritize your files and back up the most important ones.

Guest article written by: David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Contact: Google+, Twitter, Facebook, LinkedIn.

Related articles you might find interesting:

Comments & Leave a Comment

comments

{ 0 comments… add one now }

 

Leave a Comment

CommentLuv badge

Previous post:

Next post: