Ransomware Authors Copy Mainstream Marketing Techniques

When I give talks about how ransomware has gone to a more traditional business model, some people look at me like I’m crazy and the concept of elements on the Dark Web resembling e-Bay and similar software as a service models just seem to go right over their heads.

I thought I’d take a few minutes to explain some of these new features that we’re seeing hackers using recently. Let’s take a look at some of the new entries into the malware marketplace.
Let’s start with Dark and Deep Web basics and some terms that will make things easier to understand.

Terminology

The Dark Web is part of the Internet but most of the Dark Web is encrypted so traditional users can’t read it. There are many web sites, blogs and other sites that are part of the Dark Web. You, as a traditional user of Facebook, Twitter and the Internet don’t see it because those sites only respond to a certain Internet browser called Tor. You won’t see Dark Web sites using Chrome, Edge, Safari or Firefox. The bad guys are familiar with the sites that offer “ransomware as a service (think software for rent)”, stolen credentials, stolen credit cards and chat areas where they can share the latest hacker news.

Ransomware As A Service (RAAS). More and more hackers are using more traditional services and marketing techniques to improve their ability to make more money. Before we go further, let me make you familiar with a new hacker offering that uses the acronym RAAS which stands for Ransomware As A Service. It’s the hackers version of the mainstream method of renting software referred to as SAAS – Software As A Service. Many hackers now prefer to rent the ransomware they create and let others do the actual extortion by just “taking a cut” of whatever their customer rakes in.

Hackers Get Creative

Now that we’ve got the main terminology out of the way, let’s talk about some of the new trends in hacking we’re seeing:

Let’s start with adjusting ransoms based upon the victims ability to pay and improving “customer service” using a ransomware product called Fatboy. This ransomware, which can be rented as a RAAS “ransomware as a service” program, lets thieves to change the amount of money they extort from their victims based on where the victim lives. Victims in areas with a higher standard of living are charged more for their data to be decrypted than those in less affluent areas. The software has built-in geolocation reference tables based on the relative cost of a Big Mac across different countries to determine how much ransom they can charge.

Fatboy also offers “customer support” to victims over an instant messaging service called Jabber to streamline the extortion process by helping victims pay their ransom. This feature is part of a growing trend in ransomware toward “improved customer service” as another way to extracting money from victims.

Providing customer testimonials from happy hacker customers by Ovidly Stealer. What better way to increase sales than by endorsements by happy customers? This tool is designed to steal user credentials. Ovidly Stealer targets primarily web browsers and is being marketed at Russian-speaking web forums for as cheap as $7. While most RaaS tools are more general-purpose, this one seems to be designed for a Russian-speaking audience, which is its innovation. Other features include “testimonials” from satisfied criminal customers and a variety of payment options to purchase the tool.
Free Trials with tips and tricks by Hackshit. This phishing-as-a-service platform can help initiate a ransomware infection. It attracts new subscribers by offering them free trial accounts to review their limited set of hacking tutorials and tricks to make easy money. The website contains inline manuals, free tutorials, chat support, comments section, links/generator, logs, and a marketplace. The price starts at a mere $40 a week.

Malware that fights back against anti-virus and anti-malware products called Satan. This malware tool provides additional services, such as tracking the progress of each individual user in terms of collecting their ransom cash. The tool also encrypts its code and contains a lot of anti-debugging and anti-analysis techniques to make dynamic and static analysis more difficult. It’s another ransomware as a service product that allows less skilled hackers to use the original software on a rental basis. The malware owner takes a 30 percent cut of any ransoms collected too..

Become a Hacker For As Little as $50!

Dirt cheap hacking tools like Hostman can be purchased on Dark Web sites. Some RaaS tools like Hostman charge up front rather than use a percentage of the payouts, which costs $50. It introduced auto-encryption, so the criminal doesn’t have to worry about providing a decryption key once the ransom is paid out. Even script kiddies can afford software this cheap!

Hacking made easy with user-friendly web interfaces make Karmen very popular. This one is similar to Satan in that it uses a web-based control panel hosted on the Dark Web that allows buyers to configure their own personalized version. It is based on an open source ransomware toolkit called Hidden Tear. Like Satan, it has anti-detection techniques built in and automatically deletes its decryptor (the thing that undoes the damage if you pay the ransom) if a sandbox environment or analysis software is detected on the victim’s computer. It also comes with a dashboard that lets buyers keep a running tally of the number of infections and their profit in real time. It is being sold on Dark Web forums for $175. If you have any doubts about how to use it, Karmen comes with its own YouTube instructional video too. You get 100 percent of the ransoms because you purchase it.

Won’t you agree that some of these hacker tactics mirror more tradition tactics used by mainstream retailers?

If you’ve got questions you’d like us to answer in future blog posts, please send them to info@actnetworksolutions.com