Article by Sophos ANZ SE manager Steven Sparshott
In the shadows of our everyday internet lies the dark web.
According to many, those that dare to enter the murky network, will find themselves surrounded by hackers, war-criminals and drug dealers; willing to do anything for a quick buck.
For others, the dark web represents the future – providing the opportunity to spend bitcoin alongside enhanced privacy and improved communications – and is used by activists, scholars and individuals in pursuit of freedom of speech and expression.
Regardless of your interpretation, one thing we know for sure is that the dark web has changed the cybersecurity landscape, perhaps indefinitely.
In recent months, ransomware distribution kits have been available on the dark web for anyone who can find and afford them.
Dubbed Ransomware-as-a-Service (RaaS), these packages allow individuals with little technical skill, to attack businesses and individuals with relative ease.
What does the RaaS market look like?
Philadelphia is among the most sophisticated RaaS offerings available on the dark web.
The RaaS kit’s creators – Rainmakers Labs – run their business the same way a legitimate software company does to sell its products and services.
In the case of Philadelphia, there are a number of personalisation options, and for USD$389 one can purchase a “full unlimited licence”.
In addition, Rainmakers Lab hosts a production-quality “intro” video on YouTube, explaining the nuts and bolts of the kit and how to customise the ransomware with a range of feature options.
Before Rainmakers Labs developed Philadelphia they launched Stampado; the organisation’s first RaaS kit, which was available for USD$39.
Stampado continues to be sold since the creation of Philadelphia; which is must more sophisticated despite incorporating much of Stampado’s makeup.
Its creators are confident enough in Philadelphia’s supremacy that they ask for the much more substantial sum of US $389.
Satan RaaS came onto the market this year.
Interestingly Satan describes itself as “a ransomware, a malicious software that once opened in a Windows system, encrypts all the files, and demands a ransom for the decryption tools” – but it’s actually much more than that.
Satan is also an online crimeware service, backed by a cloud service of the attackers choice.
The service claims to generate a working ransomware sample that can be downloaded for free, and allows users flexibility such as price and payment conditions.
The service then collects the ransoms on a user’s behalf, provides a decryption tool to victims who pay up, and pays out 70% of the proceeds via Bitcoin.
Satan’s creators keep the remaining 30% of income generated as the fee.
RaasBerry is one of the newest RaaS offerings available via the dark web, first launched in mid-2017.
RaasBerry allows customers high levels of customisation and package options.
It boasts “advanced polymorphic techniques to avoid over 90% of popular antivirus products”, offline capabilities and promises to work when launched on non-administrative accounts.
High levels of customisation enable users to get specific about ransom amounts and creates automatic processes once the ransomware launches.
Defensive measures against the dark web
For now, the best way for companies and individuals to combat the rise in RaaS includes:
- Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
- Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
- Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
- Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit. In the case of this attack, users want to be sure they are using the most updated versions of PDF and Word.
Measuring RaaS-based attacks is difficult, as the developers creating these malicious codes are good at covering their tracks.
But we do know that this is a growing phenomenon.
RaaS has almost certainly helped the global ransomware scourge rise, and the number of available kits will only continue to increase over the coming months.
In order to successfully combat these attacks, organisations must understand what’s out there and protect themselves accordingly.