Ransomware-as-a-Service industry is growing rapidly.
Ransomware-as-a-Service industry is growing rapidly.
The industry generated $209 million in ransom payments with a monthly growth rate of more than 20%.
There is no archetypal cyber criminal. They come in all forms; all shapes and sizes. From those who manage money mules; to those who build and manage botnets or other forms of malware. One of the more interesting types of cyber-criminals is those who utilize and manage ransomware. According to Trend Micro, ransomware can be defined as “…a type of malware that prevents or limits users from accessing their system.”
Ransomware encrypts data and typically forces its victims to pay the ransom through online means in order to grant access to their machines and ultimately (hopefully) retrieve their data. There are many types of ransomware, some, like Cryptolocker, (which was distributed by the Game Over Zeus botnet — which was taken down in late May of 2014 during a joint international law enforcement activity, Operation Tovar, and believed to be distributed by the Cutwail botnet) encrypts files and forces the victims to pay to have their data returned to them.
However, there were instances where victims reported that their files were not decrypted even after paying the ransom. According to some research organizations, ransomware is an on an upswing with more and more sightings occurring very frequently. Historically ransomware has been developed and run by single individuals seeking profit off the fears of private citizens. However, that is now no longer the case.
Did it for the Money, or Did He?
In a recent turn of events, a service called “Tox” began being advertised in the Darkweb, websites made available via anonymization services such as the TOR and I2P (networks). There are many services offered within the Darkweb. Perhaps most well known as the criminal marketplace Silkroad that provided a ‘safe’ environment for the barter and sale of illicit drugs to users who sought and gained anonymity through the use of Tor Network.
However, the anonymity of the TOR network has come under scrutiny since the arrest and incarceration of Ross Ulbricht (aka Dread Pirate Roberts). Ulbricht, like so many before and after him, believed that the TOR network would provide him with reasonable anonymity. The reality was shockingly different. Despite this, new services continued to appear within the Dark-web catering to criminal audiences. “Tox” was a new service advertised to cybercriminals who sought the capability to use ransomware but either lacked the time or ability to develop their own.
This new ransomware-as-a-service was created and run by a person, who claims to be a teenager. McAfee wrote up the first blog about Tox and his now infamous kit. We don’t know much about this individual but it’s clear that he’s been successful and powerful in developing RaaS. The blog is unavailable right now, so I can’t really reference this. However, he took the time to write a post that described the product functions and his intent to sell it. You’ll be able to find more information on social media if you want more info about it
It’s worth noting that there are ransomware authors who feel sorry for their actions and that’s why they quit the business. For example, one of the most “famous” Locker ransomware authors, V., announced on May 30, 2015 via a post on Pastebin that he was sorry for all the trouble he caused and that he is quitting this business. The person said they were finally able to decrypt the files due to him providing the private keys.
Thank You and Goodnight!
Tox explains that he has decided to get out of the business for several reasons but he is going to take a 30% cut from all of the kits that are still sold. This is interesting for several reasons:
The man claims that he is not a criminal and is in fact being judged unfairly. The attention he has received makes him feel uncomfortable, but this could be because he has always felt underestimated as an individual.
He feels like the work is “getting too hard for me to handle” and advises his audience that he is only a teenager, not a group of experienced hackers. Additionally, he reminds them that their purchase entitles them to more than just software aids.
He will still earn a profit from sales of the service/kit, even though he won’t get any of the earnings in first place. This is based on what commission model he’s already set up.
Making Sense of it All
Let’s examine these points one at a time. Tox believes he’s not a criminal but regardless of what part of the world he is in, it would be hard for him to defend his actions of extortion and conspiring to extort any court.
He feels as though he’s received too much attention since announcing his business model and ransom-as-a-service kit, and has become uncomfortable. This is understandable, as he is, presumably, a novice criminal with little experience in the ways of criminality. It’s possible that he’s a teenager, which might explain why he is scared of the repercussions if people find out.
He’ll still enjoy whatever benefits the service and kit offer him, even if he’s not active in criminal activity anymore. So long as they continue to be viable forms of ransomware.
As if the digital onslaught of Tox’s Ransomware as a Service wasn’t enough, the logic behind taking that route to mining bitcoins is troublesome. The problem with this approach is that it presupposes an inherent lack of wisdom on behalf of hackers.
Not only that, but it demonstrates ignorance to a time-tested axiom: industry expertise trumps. We can expect that if the kit is as good as promised then it will become an even major disadvantage than the other one. The creation of a service to address this type of cyber-crime shows that the cyber threat landscape is continuing to change and it is important for the Info-Sec community to continue investing in technology.
As for Tox, it remains to be seen if he will stay retired or not. We have time before we know the answer to that question
For more information about some of the things we can help you to improve in your organization’s IT, give us a call at (310) 870-8999