Article by Sophos ANZ SE manager Steven Sparshott
In the shadows of our everyday internet lies the dark web.
According to many, those that dare to enter the murky network, will find themselves surrounded by hackers, war-criminals and drug dealers; willing to do anything for a quick buck.
For others, the dark web represents the future – providing the opportunity to spend bitcoin alongside enhanced privacy and improved communications – and is used by activists, scholars and individuals in pursuit of freedom of speech and expression.
Regardless of your interpretation, one thing we know for sure is that the dark web has changed the cybersecurity landscape, perhaps indefinitely.
In recent months, ransomware distribution kits have been available on the dark web for anyone who can find and afford them.
Dubbed Ransomware-as-a-Service (RaaS), these packages allow individuals with little technical skill, to attack businesses and individuals with relative ease.
Philadelphia is among the most sophisticated RaaS offerings available on the dark web.
The RaaS kit’s creators – Rainmakers Labs – run their business the same way a legitimate software company does to sell its products and services.
In the case of Philadelphia, there are a number of personalisation options, and for USD$389 one can purchase a “full unlimited licence”.
In addition, Rainmakers Lab hosts a production-quality “intro” video on YouTube, explaining the nuts and bolts of the kit and how to customise the ransomware with a range of feature options.
Before Rainmakers Labs developed Philadelphia they launched Stampado; the organisation’s first RaaS kit, which was available for USD$39.
Stampado continues to be sold since the creation of Philadelphia; which is must more sophisticated despite incorporating much of Stampado’s makeup.
Its creators are confident enough in Philadelphia’s supremacy that they ask for the much more substantial sum of US $389.
Satan RaaS came onto the market this year.
Interestingly Satan describes itself as “a ransomware, a malicious software that once opened in a Windows system, encrypts all the files, and demands a ransom for the decryption tools” – but it’s actually much more than that.
Satan is also an online crimeware service, backed by a cloud service of the attackers choice.
The service claims to generate a working ransomware sample that can be downloaded for free, and allows users flexibility such as price and payment conditions.
The service then collects the ransoms on a user’s behalf, provides a decryption tool to victims who pay up, and pays out 70% of the proceeds via Bitcoin.
Satan’s creators keep the remaining 30% of income generated as the fee.
RaasBerry is one of the newest RaaS offerings available via the dark web, first launched in mid-2017.
RaasBerry allows customers high levels of customisation and package options.
It boasts “advanced polymorphic techniques to avoid over 90% of popular antivirus products”, offline capabilities and promises to work when launched on non-administrative accounts.
High levels of customisation enable users to get specific about ransom amounts and creates automatic processes once the ransomware launches.
For now, the best way for companies and individuals to combat the rise in RaaS includes:
Measuring RaaS-based attacks is difficult, as the developers creating these malicious codes are good at covering their tracks.
But we do know that this is a growing phenomenon.
RaaS has almost certainly helped the global ransomware scourge rise, and the number of available kits will only continue to increase over the coming months.
In order to successfully combat these attacks, organisations must understand what’s out there and protect themselves accordingly.