Security researchers have recently encountered a new Ransomware-as-a-Service (RaaS) known “Encryptor RaaS”. The service is advertised on an onion-based domain via Tor2Web service and the associated ransomware is detected as W32/Cryptolocker.ABD9!tr. According to the researchers, the model closely resembles the recently discovered “Tox” Ransomware. The seller earns a 20% commission per infected user who opts to pay ransom. Additionally, all transactions are made via Bitcoin where affiliates or “customers” of this RaaS signs up via their Bitcoin address and victims need Bitcoin to recover their files. There are 3 configuration options for the ransomware tool:
- Price of ransom – the amount of money by which infected users need to pay in order to recover their encrypted files.
- Price of ransom after timeout – the new (usually higher) amount in case the infected user is unable to pay within the deadline specified.
- Timeout – the deadline configuration, in hours, for the payment of infected users otherwise the ransom will change to the amount.
Once an affiliate has successfully signed up a Customer ID is then generated and embedded in the generated ransomware executable.
The accessibility of malicious-tools-as-a-service continues to enable just about anyone to conduct cybercrime. While W32/Cryptolocker.ABD9!tr is far from sophisticated, it demonstrates how average developers can easily start a malware-as-a-service business by abusing online anonymity frameworks such as Tor2Web service and Bitcoin. It also illustrates how new trends in cybercrime business models are quickly adopted by other cybercriminals, thus exponentially increasing new malware variants.
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street