Security researchers have identified a ransomware variant that is available for free on the Dark Web and is even unregistered. The discovery comes at a time when the ransomware trade is running on handsome commissions and bounty-sharing occurs between malware sellers and buyers.
The distribution of ransomware among hackers and cyber-criminals on the Dark Web over the years wasn't always about targeting common enemies or demonstrating mutual affection. In fact, ransomware-as-a-service was and continues to be, a major cyber-crime economic model that benefits both buyers and sellers.
The well-oiled economic model entails minimal risks for developers of new ransomware variants while ensuring that they receive pre-decided commissions for exploits conducted using their products. At the same time, those willing to conduct ransomware attacks can pick up new variants from the Dark Web without having to do any research on their own.
Consequently researchers from the McAfee Advanced Threat Research team were somewhat taken aback when they stumbled across a ransomware variant which was being offered for free on the Tor network. However, after conducting further research, they concluded that while the ransomware didn't feature any price tag, the developer could still earn a 10 percent fee from each victim who paid a ransom.
Once it infiltrates a device, the ransomware in question used the device's internet connection to download an encryption key and creates three files that separately confirm that the device is encrypted and that generate a unique TOR address for the device.
The ransomware then proceeds to encrypt files that include many picture and photography files related to Canon, Kodak, Sony, and others, as well as extensions for AutoCAD, Autodesk projects, scalable vector images, and Microsoft Office files. Once the process is completed, it generates a ransom note asking the device owner to transfer 0.01 Bitcoin to a virtual payment address to decrypt such files.
According to the researchers, despite featuring such capabilities, this particular ransomware isn't very powerful when compared to the most sophisticated ransomware variants being offered on the Dark Web nowadays. Firstly, the ransomware is coded in Golang which is an improved version of the C language but can be easily detected on a corporate network because of its large size.
Secondly, the ransomware doesn't feature common evasion techniques like DGA, SSL for control, encryption, or even file compression, thereby rendering itself vulnerable to advanced anti-malware technologies. These two deficiencies, coupled with the fact that the ransomware is being offered for free, made the researchers conclude that the ransomware 'might be a demonstration version, or a proof of concept for future sale'.
However, Joseph Carson, chief security scientist at Thycotic, believes that the true motive behind the ransomware being offered for free on the Tor network could be more sinister. In fact, it could have something to do with the current value of Bitcoin.
"Ransomware-as-a-service has been around already for several years and its value has been decreasing over time due to the wide availability of many ransomware toolkits. Ransomware-as-a-service was previously available as a subscription service or by cyber-criminals demanding a percentage of the profit. In my opinion, however, the reason we are seeing ransomware-as-a-service being made available for free is a cunning way for cyber-criminals to manipulate the value of Bitcoin," he says.
"The more victims who need to open cryptocurrency wallets and buy Bitcoins to pay the ransom, only increases the value of Bitcoin. This way cyber-criminals can gain profit legally via Bitcoin's value increasing by making anyone - even non-technical criminals - deploy ransomware to more victims.
"The best way for cyber-criminals to get away with a crime is misdirection and this is another great example of that. Other reasons for ransomware-as-a-service being offered for free is law enforcement potentially using this as a method for catching criminals and turning them into informants," he adds.