It is increasingly easy to set up a ransomware business, as we reported last month. Two recent news stories illustrate that point: the weaponization of open source malware, and the use of cheaply purchased malware by cyber delinquents. (A comment on the Cloudmark blog requested that I stop using the term “script kiddies” as it sounds patronizing. OK.)
The first open source ransomware on GitHub was written as an educational exercise by Turkish researcher Utku Sen. He left backdoors in the software to prevent it being used in earnest, and has since abandoned and deleted the project. However other less responsible developers have taken the project up and removed the backdoors. We are now seeing functional obfuscated versions of the code being uploaded to VirusTotal.
In Austria, a teenager was arrested for attempting to extort $400 from a company using the Philadelphia ransomware, currently for sale on the AlphaBay dark marketplace for $309 (reduced from $389). The cost of the software was less than the money he would have made from a single successful ransom demand.
So far, this vendor has sold fifty-nine copies of Philadelphia, generating around $20,000 in revenue.
AlphaBay is a dark market, that is, a marketplace operating as a Tor hidden service that allows the anonymous sale and purchase of illegal goods using crypto currencies such as Bitcoin. While much of their trade is illegal drugs, there are also listings for stolen credit card numbers, counterfeit money, fake ids, weapons, explosives, and of course malware. Several dark markets tried to take over after the original Silk Road marketplace was taken down by law enforcement. AlphaBay seems to be the most successful both because the apparent Russian center of operations puts it beyond the reach of US law enforcement, and because the owners have yet to abscond with the large amounts of their users’ Bitcoin they hold in escrow to guarantee transactions. This temptation was too much for the owners of Sheep Marketplace and Evolution Marketplace.
Philadelphia is by no means the only, or even the cheapest, variety of ransomware for sale on Alpha Bay. Here are some of the many examples.
In this case FUD means “Fully UnDetectable”, that is, not flagged by anti-virus programs, rather than “Fear, Uncertainty, and Doubt” the more common acronym. Like many marketing claims in dark markets, it is probably not true.
Prices vary from a few dollars to a few hundred. Several vendors are selling variants on the “Blackmail” ransomware. The most successful of these appears to be “flicker98”, who has sold over eleven hundred copies. Like eBay and Amazon, AlphaBay keeps track of user feedback for vendors, and flicker98 has a 94% positive rating.
Spam email remains a common method for distribution of ransomware. However with so many criminals having access to ransomware software, some of them are now trying other methods. A recent attack used malicious advertisements on Skype. Attackers have also used a recently announced vulnerability in Apache Struts 2 to place ransomware on web servers. Finally, our friend flicker98 offers a variant of the Blackmail ransomware that can be installed directly from a USB drive.
[Y]ou can install it on a portable USB and it will automatically boot and start encrypting files after a give time frame of 2 hours or 2 days (depending on your preference).
I once used this ransomware to encrypt the computer files of a hotel I lodged-in and was able to extract 10 btc from them. I simply installed it on a usb and plugged it into the pc when the receptionist was away from desk.
Malicious USB drives or mobile phones can emulate keyboards or ethernet connection and take over a computer. You should never let a stranger plug a USB device into your computer. To protect yourself against other ransomware attacks, make sure you have a good spam filter, keep your operating system, browser, and anti-virus software up to date, and most importantly make sure all your data is backed up.