It’s increasingly easy to build and launch ransomware, regardless of skill. All one needs is ill intent and access to the dark web – a marketplace where malware kits are peddled like shoes or toys on Amazon. The trend is known as ransomware as a service, and few examples are as slick and dangerous as Philadelphia.
Report on RaaS
At Black Hat 2017 Sophos released an in-depth report on the subject called “Ransomware as a Service (Raas): Deconstructing Philadelphia,” written by Dorka Palotay, a threat researcher based in SophosLabs’ Budapest, Hungary, office. It delves into the inner mechanics of a ransomware kit anyone can buy for $400. Once purchased, the bad guys can hijack and hold computer data for ransom in exchange for payment.
Out in the open
The RaaS kit’s creators – The Rainmakers Labs – run their business the same way a legitimate software company does to sell its products and services. While it sells Philadelphia on marketplaces hidden on the dark web, it hosts a production-quality “intro” video on YouTube, explaining the nuts and bolts of the kit and how to customize the ransomware with a range of feature options. A detailed “Help Guide,” walking customers through set- up is also available on a .com website. While ransomware-as-a-service is not new, the glossy, overt marketing of a do-it-yourself ransomware attack is.
Track victims and give mercy
In addition to the marketing, the product itself is advanced with numerous settings buyers can tailor to better target how they attack their victims, including ‘Track victims on a Google map’ and ‘Give Mercy’ options. Tips on how to build a campaign, set up the command-and-control center and collect money are also explained. It’s all right there.
Ironically, the “Give Mercy” feature is not necessarily to help victims, but is instead there to help cybercriminals get themselves out of a sticky situation. It’s also there in case friends of an attacker accidentally find themselves ensnared or if the cyber criminals want to test their attack.
The option to “Track victims on a Google map,” which sounds creepy, gives a glimpse into how cybercriminals determine the demographics of those they’ve deceived, which could help them decide to repeat an attack, course correct the next attack or bail with the “Mercy” option.
Extra features – extra money
The Mercy and Google tracking options and other features in Philadelphia are not unique to this ransomware, but are not widespread, either. These are examples of what’s becoming more common in kits and, as result, shows how ransomware-as-a-service is becoming more like a real world software market.
Philadelphia also has what’s called a “bridge” — a PHP script to manage communications between attackers and victims and save information about attacks.
Additional features Philadelphia buyers can customize include the text of the ransom message that will appear to victims and the color of the text, whether the message appears before a victim’s data is encrypted and “Russian Roulette,” which deletes some files after a certain predetermined timeframe. “Russian Roulette” is common in ransomware kits, and is used to panic users into paying faster by randomly deleting files after a number of hours.
Having customization options and bridges drives in more profit and adds a whole new dimension to cybercrime that could increase the speed of ransomware innovation, Palotay commented. In other RaaS cases SophosLabs examined, pricing strategies ranged from splitting a percentage of the ransom coming from victims with kit customers to selling subscriptions to dashboards that follow attacks.
Stolen code
The report also reveals that some cybercriminals have “cracked” or pirated Philadelphia and sell their own ripped-off version at a lower cost. While cracking is not new, the scale is interesting. Ready-made threats that don’t require attackers to know what they doing and are easily available for purchase are constantly evolving.
It’s not uncommon for cybercriminals to steal another’s code or build upon older versions of other ransomware, which is what we saw with the recent NotPetya attack. The NotPetya attack combined Golden Eye, a previous version of Petya, with the Eternal Blue exploit to spread and infect computers globally.
Pieter Lacroix, Managing Director Nederland bij Sophos
