Malware and computer forensics expert Lawrence Abrams has uncovered a dark web site advertising its ransomware-related products and services.
The site, named “Hall of Ransom,” can be accessed through the Tor network and sells the Locky ransomware for $3,000. Locky infiltrates the system through a malicious macro in Microsoft Word document sent as email attachments to its victims. Its recent casualties include the Kentucky-based Methodist Hospital and Hollywood Presbyterian Medical Center, which coughed up 40 bitcoins (around $17,000) to decrypt its hostaged files. The malware was estimated to have had 90,000 infections per day last February.
The site is also selling an uncopiable ‘USB key’ for $1,200 that can supposedly decrypt the files encrypted by Locky on infected Linux and Windows-based computers . Users need only to insert the USB into the affected computer for the program to automatically launch itself and uninstall the malware.
It was also revealed that The Hall is selling a ‘new generation ransomware’ named “Goliath” for $2,100. Its source code is said to be derived from Locky’s, and that it catered to beginners who are just starting to venture into cybercrime. The site is hyping Goliath by promising a high infection rate and an ability that enables hackers to download, lock and unlock the content of the infected computers in one click.
Abrams’ further probe also showed a possible link to another variant of ransomware named Jigsaw, which was referenced in the site’s HTML source code. Jigsaw garnered considerable attention since its reported discovery last month with its capability to incrementally delete files from the infected computer for every hour that the ransom, which also increases, is not paid. It also banked on instilling shame and fear to pressure the victim into paying the ransom.
Using the deep web to trade malware is not surprising, given all the benefits the cybercriminals reap when they host their infrastructure and advertise their products and services on anonymizing services such as the Tor network. Ransomware, seen as an attractive option given its promise of a quick ROI, is also steadily growing into business model. For instance, ransomware variants such as Petya, Mischa, Cerber, ORX-Locker is known to be offered as ransom-as-a-service products on deep web marketplaces, where affiliates distribute the ransomware while developers earn commissions for every paid ransom. Another ransomware, Tox, was offered to cybercriminals for free as a customizable toolkit, with 30% of the income going to the developer.
The Goliath ransomware being offered was said to require the use of a virtual private network (VPN) and can only affect machines running Windows OS. Abrams also downplayed the ransomware, saying, “Some of its features just do not make sense, such as the need for a high end GPU card, unless they are introducing a cryptocoin mining feature. I and others have searched high and low for a sample of the Goliath ransomware, and if it exists, it is in almost non-existent distribution.”
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).