Ransomware creators are monetizing their software in creative new ways. Not only are they using ransomware to encrypt files and collect ransoms, but they’re also selling their ransomware to others as do-it-yourself (DIY) kits and licensing it as a service.
Criminals can purchase popular ransomware such as Cryptolocker, Cerber, Locky and Stampado as DIY kits with prices ranging from $39 to $3,000. These DIY kits allow criminals to quickly customize and distribute their ransomware to start collecting money.
There is wide variation in the types of DIY kits offered. Some are based on versions of ransomware that are already outdated while others are stable systems that work effectively. Some include advanced features, like one that allows administrators to delete random files at specific intervals until the ransom is paid.
DIY ransomware often includes a configuration wizard that helps criminals customize the ransomware to their specifications. These future extortionists define a custom name for the ransomware, determine the currency they will accept and the amount of the ransom, and upload a custom ransomware message. For encryption ransomware, criminals purchasing the kit select the file types that will be encrypted. Locking ransomware allows the purchaser to select which functions of the system to freeze.
Ransomware as a Service (RaaS)
Other ransomware creators are outsourcing the distribution element of the ransomware while still collecting the ransom. Such systems offer distributors a percentage of the ransoms received. Ransomware such as Petya, Mischa, Tox, Ransom32 and Cryptolocker Service follow this model of Ransomware as a Service (RaaS). Ransomware creators allow criminals to sign up on servers that are typically hidden behind an anonymous network to protect the creator’s identity and the distributor’s funds. All future extortionists need is a bitcoin account to sign up and they can download the ransomware for distribution. RaaS allows for some customization as well. Criminals can set the ransom demand amount and custom tailor their ransom message.
As victims pay ransoms, the RaaS providers track which bitcoin account was tied to the ransomware version, take a percentage off the top and deposit the remainder into the extortionist’s account. Extortionists can log into the RaaS page to see infection statistics and their earnings.
This has created a gold rush with new entrants to the ransomware market customizing and distributing malware in the attempt to claim their stake of the prize. Unfortunately for the rest of us law abiding citizens, this means that we can expect ransomware attacks to continue to grow. It is important to stay vigilant in implementing security controls, keep systems up to date and train users on the latest distribution techniques and incident response procedures. Make sure that important files are backed up to a location separate from the primary data so that ransomware infections will not impact both production and backup data.