Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!
adv ex on 5 january 2024
adv ex on 22 February 2024
adv ex on 22 February 2024
banner Expire 26 April 2024
Rescator cvv and dump shop
banner expire at 13 May

Yale lodge shop
UniCvv
banner Expire 1 April  2021

Extortion as a Service. Who and for how much offers to help with extortion on the darknet.

RedX

TRUSTED VENDOR
Staff member
Joined
Nov 26, 2020
Messages
598
Epidemics of cryptographic Trojans regularly replace one another, and their scale is growing. And behind the scenes of this problem are businessmen who offer those who want an easy way to become hackers (and with a good probability to earn a criminal record). In this article, I will talk about how and for how much the darknet offers services and software for extorting money.

But let's start with the fact that we will understand the history of extortionate malware.

EVOLUTION OF THE DIGITAL HOP STOP
The first recorded cryptographer epidemic occurred in 1989, when Norwegian biologist Joseph Popp mailed out a floppy disk with a label that promised educational information about AIDS. In reality, the program was embedded in AUTOEXEC. BAT, hiding folders and damaging files. During the next download, the user saw an offer to update the OS license by sending $ 189 by mail to Panama to the account of PC Cyborg Corporation, but the computer did not boot further.

AIDS was based on symmetric cryptography, meaning that the same key was used to encrypt and decrypt information, so the virus pill was made quite quickly. Popp was soon found, but declared insane and sent for treatment. The Creator of the first ransomware became famous for wearing a cardboard box on his head to protect against radiation.



AIDS infection warning

Over the next sixteen years, ransomware infections were still rare, despite the development of the Internet. Everything changed in 2005 after the GPCoder malware began to spread over the network.

GPCoder encrypted information using the advanced RSA cryptographic algorithm for those times. A little later, Archievus appeared, which encrypted files only in the "My documents" folder. Both malware carriers brought the creators a small profit, because antivirus programs easily found and removed them.

The Vundo malware, which began to be used to extort Bitcoin in 2009, also failed. FireEye programmers wrote a script to decrypt data in a few days and left Vundo developers without profit.



Vundo ransom request message

In 2011, a new type of ransomware appeared‑WinLock. Instead of encrypting information, the lockers blocked access to Windows and displayed a fake menu to activate the OS. Victims were asked to call the support service or send an SMS to get the code. For a call and a message, a fee was charged, which was transferred directly to the pocket of racketeers.

However, the business model based on the use of lockers turned out to be a failure. In 2012, ransomware made only $ 5 million. The amount is serious, but by the standards of modern threats - nonsense. Therefore, the following year, hackers returned to the roots of digital blackmail and began using a modified version of the CryptoLocker cryptographer.

The main difference between CryptoLocker and Vundo was that encrypted files could not be recovered, since their decryption required a 2048-bit key, which could be obtained from the online service after payment. In just two months, the income of creators malware reached 27 million dollars in bitcoin.



Cryptolocker payment menu

In 2014, after anti‑virus specialists captured the Gameover ZeuS botnet, through which CryptoLocker was distributed, its clones — CryptoWall and TorrentLocker-began to dominate the ransomware market. In 2016, experts discovered the first ransomware virus called KeRanger, designed to infect poppies. A few months later, cybersecurity experts identified a multi-purpose Trojan called Ransom32, which can infect computers running Windows, Mac or Linux.

In may 2017, with the advent of the WannaCry crypto worm, a new era in the history of the digital hop stop began. WannaCry exploited the EternalBlue vulnerability in Windows, installed a backdoor, downloaded the cryptographer's code, and infected one computer, quickly spreading over the local network. During the year, the worm got into 520 thousand devices and caused $ 4 billion in damage. A contemporary of WannaCry is the Petya cryptoworm, which used the same Windows exploit. The damage caused by Petit exceeded $ 3 billion.



Wannacry infection map

In 2018, emails with the original GandCrab malware started being sent to the email addresses of netizens. Extortionists seduced users with love messages and archives with romantic names, for example, Love_You_2018. But the archives were with a twist - a distribution that downloads GandCrab. In 2019, the developers of "Crab" hung their claws on a nail, hitting the jackpot of about $ 2 billion.



A love letter from GandCrab

The baton was intercepted by the evil geniuses behind the invention of the REvil ransomware, also known as Sodinokibi. Information security specialists found matches in the GandCrab and Sodinokibi codes, and also found out that both use almost the same string decoding functions. Therefore, experts believe that REvil is a direct successor to GandCrab.

In the Wake of the hype surrounding WannaCry and Petya, the darknet launched Ransomware as a Service (RaaS)services-toolkits and platforms for performing attacks and receiving ransom. The lion's share of the RaaS customer base is accounted for by Lamers who want to cut down the cabbage, but do not want to program anything on their own. Extortion as a service is a model of cooperation between operators of blackmail programs and so-called agents.

RANSOMWARE FOR SALE
On the largest international marketplace, I found a dozen ads related to ransomware. Here they are.

WARNING
All information is provided for informational purposes only. The author and editors are not responsible for any possible harm caused by the information in this article. The spread of viruses and malicious programs is illegal and will result in criminal liability.

1. KingLocker Python Source code for Windows for 99 euros
The vendor claims that after running the executable file, the malware connects to the server's control panel, downloads the key, encrypts data on the device, and opens a web page demanding a ransom in Bitcoin. I didn't find any information about cases of KingLocker infection. The first and only mention of the virus on the Raid forum dates back to July 12, 2020.

2. The malware Sodinokibi/REvil for 2000 dollars
According to Panda Security, Sodinokibi is the most profitable blackmail program in the fourth quarter of 2019. The malware generates a unique ID and keys for each device, encrypts files, changes the desktop Wallpaper, and displays instructions for decryption, which contains the URL of the form for restoring data access.

3. The package source code ransomware programs for 15 euros
Consists of:

  • Skiddy ScreenLocker-copy of the exotic Trojan;
  • NxRansomware - an Open Source project uploaded to GitHub in 2016;
  • HiddenTear is the first open source ransomware Trojan released on GitHub in 2015;
  • MyLittleRansomware - another open source developed in 2018;
  • Jigsaw Ransomware-identified in 2016, named after Billy the Saw doll»;
  • EDA2 Ransomware-built on the basis of the EDA2 constructor and requires a fixed decryption fee of 0.1 BTC;
  • CryptoLocker-the legendary old man who managed to get American cops to fork out $ 500;
  • Andr0id L0cker-mobile ransomware that blocks access to Android;
  • Shark Ransomware-was launched as a clearnet RaaS in 2016.
By the way, Andr0id L0cker is the only mobile ransomware offered for sale in the shadow markets I visited.

4. WannaCry for $ 150
It's still too early to bury the Khochuplakat Trojan, as it accounted for 40.5% of detected cases in the first quarter of this year. But after the virus epidemic in 2017, Microsoft released patches for OS versions up to XP, where the vulnerability exploited by WannaCry was fixed. Therefore, the initial build of the blackmailer program can no longer install a backdoor to download and run the executable file on the vast majority of computers.

5. Modular Trojan LimeRAT for 89 euros
A multi-functional malware designed for encrypting data on a hard disk and flash drives, installing an XMR miner, stealing data about crypto wallets, and performing DDoS attacks. It is distributed via Excel files and USB drives. it can delete itself if it detects a VM.




6. Custom build Blackmail Bitcoin Ransomware Source code for $ 15
A curious version of the malware that can be used as a regular cryptographer and a tool for stealing Bitcoin. In ransomware mode, the program encrypts files on the device and demands a ransom. In the Styler format, the Trojan recognizes the BTC addresses in the clipboard and modifies them. If the victim copies and does not check the address, the bitcoins will go to the hacker's wallet.

7. DiamondFox Modular malware for $ 1,000
Version of DiamondFox, released in 2017, with updates from March 17, 2020. It is distributed only via USB flash drives and consists of nine elements:

  • Cookie Grabber-steals cookies from Firefox, Google Chrome, and Microsoft Edge browsers;
  • Botkiller-finds and removes malicious scripts;
  • Video Recorder records actions of the user on the screen;
  • blackmailer program-automatically decrypts data after confirming the transfer of the ransom;
  • cryptocurrency Styler-changes addresses of BTC, BCH, LTC, ETH, DOGE, DASH, XMR, NEO and XRP;
  • Keylogger - records and communicates information about the pressed keys that are bound to the date and time;
  • file Styler-downloads files of the selected format and a certain size;
  • the Stiller passwords from browsers and instant messengers;
  • bot for Windows x64 and x86.
The dealer did not publish detailed information about the ransomware. But given its low cost ($60), I would venture to assume that this is an open source project or a modification of outdated malware.

8. Ransomware 2020 for $ 49
The seller did not write the name of the malware, but stated that it was created in 2020 and no antivirus software can detect it. According to the vendor, the malware uses the AES encryption algorithm and opens a text file on the infected computer with a ransom demand in cryptocurrency.

9. Blackmail Bitcoin Ransomware source code for $ 40
The ransomware program is distributed via flash drives and installation files downloaded on the Internet. For a USB drive, there is an option to automatically start the malware after a certain time interval. It is particularly gratifying that the kit includes an application guide.




10. Source code of five Bitcoin Ransomware Blackmailers for $ 18
This collection includes modern malware carriers, as well as instructions for their configuration and distribution. The names of malware are kept secret, but the vendor said that all programs are new and suitable for extortion of virtual currencies.

But the Russian darknet, as usual, disappointed. Russian‑language trading platforms and forums do not sell ransomware or provide services for organizing attacks, because platform moderators ban them for RaaS. Wherever you throw it, there are only substances, carding and punches everywhere.

TURNKEY BLACKMAIL
Currently, two full-fledged RaaS platforms are operating in the dark web, created to automate and optimize the distribution of malware and receive ransom. Ad platforms have different modus operandi and terms of cooperation, but they are United by one thing - developers do not sell the source code of malware.

Ranion
The owners of the site are offered to purchase a service package, which includes:

  • tor-based control panel for key management;
  • decryptor;
  • addon for translating the text of a banner with a ransom demand into a specific language and adding file extensions to the list of supported ones.

To get access to the service, owners are asked to transfer money to Bitcoin and send an email to their email address, giving their BTC address, the amount of the buyback, an email for contacting customers and a list of Addons. After confirming the payment, the site owners promise to send:

  • executable file of a ransomware program for Windows x86 and x64 devices that uses the AES encryption algorithm;
  • the decryptor to decrypt the data;
  • link to the darkweb control panel.
After running an exeshnik on the victim's computer, malware will encrypt all files with 43 extensions from the list (for example,. txt,. docx, .jpeg and .rar), generates a key and sends it to the control panel. A message with a ransom request will appear on the monitor of the infected machine. The alert will indicate the address of the crypto wallet and email address for communication. If the victim does not transfer the bitcoins in seven days, the decryption key will be deleted.



After receiving the cryptocurrency from the victim, the attacker must run the decryptor, insert the victim's key, and select the Decrypt My Files option. After that, the files will be automatically decrypted.



The malware supports deferred startup and encryption, disables the task Manager, changes the desktop Wallpaper, and tracks the device's IP address. In addition, you can purchase an additional obfuscator and a unique one .onion address (will be written on the banner) for $ 90. A subscription to the service costs $ 120 for one month, $ 490 for six months, and $ 900 for a year.

According to the authors of the project, 85% of antivirus programs do not find Ranion, the remaining 15% add the file to the list of suspicious or unwanted programs. Developers regularly update the malware and promise to send updated versions to subscribers by email. The latest upgrade at the time of writing was released in September 2020. Developers claim that they distribute the SOFTWARE purely for scientific purposes in order to avoid responsibility for illegal actions of customers.

Employees of the Virus Total website found that in 2017, the Ranion instance was detected by 41 out of 60 antivirus programs. The version of RANION v1. 11, released in September 2020, has not yet been tested. Malware does not encrypt shadow copies of files, so data can be restored using a backup. However, the information can't be decrypted using the decryptors developed by cybersecurity experts, because the malware creates unique keys.

Smaug
The site was opened in may 2020 and positions itself as a leading project in the field of RaaS. Registration on the platform costs 0.2 BTC ($2,137 at the current exchange rate). After making a payment, the user gets access to the account and can create a campaign to infect computers by selecting one of two options:

  • normal (a unique key is created for each device);
  • institutional (encrypts data on multiple gadgets using a single key).



According to the instructions, each campaign can be assigned an arbitrary name, enter the amount of the ransom in Bitcoin, write a message that victims will see, and set the expiration date. Then you need to select the operating system (Windows, Linux, or macOS), click on the Create button, and download the executable file of the ransomware program.



The malware encrypts files on the victim's device and opens a text document with a link to the Smaug portal.

The service provides a key for decrypting information after transferring the required amount to BTC, but allows you to decrypt one file for free in test mode. The platform charges a 20% Commission for all transactions and automatically charges Bitcoin To the agent's wallet. Smaug keeps campaign statistics based on three indicators: the amount of payments, the number of users, and the number of payments.



Malware encrypts information only on the computer's hard disk and does not distribute itself over the local network to reduce the probability of detection by antivirus software. Smaug developers prohibit performing attacks on the territory of the CIS countries, in addition, the service began to promote on the Russian-language forum on the darknet, so it seems that people from the Commonwealth are behind the creation of the platform. The service charges a high Commission and a huge registration fee, but the site server is unstable and periodically shuts down. Either everything is not going smoothly with the support, or the competitors are messing up.

At the end of September, Virus Total employees tested the effectiveness of using antivirus programs to combat Smaug and found that 44 out of 67 programs were able to identify It. The malware deletes the source files after encryption and generates unique keys, so the decryptors don't work. Because of this, victims who want to restore access to information have no choice but to pay a ransom. However, the virus does not delete backup and shadow copies of files, so a backup is the most reliable protection against Smaug.

CONCLUSIONS
Becoming the lowest link in the cybercrime pyramid is easy these days, and malware prices start at a frivolous $ 15. But I think you understand perfectly well why ransomware developers, instead of using their creations, sell them by subscription, like Office 365 and Adobe CS. It is worth signing up for this queue, and you are guaranteed to become an extreme one.
 
Top Bottom