A new ransomware-as-a-service (RaaS) has reportedly emerged, offering cybercriminals on the dark web the option of using ransomware created by someone else in exchange for subscription payments.
According to a report by ZDNet, independent security researcher going by the Twitter handle Xylitol uncovered the Satan malware as part of the Gen:Trojan.Heur2.FU malware family. Satan now however has been launched as part of a RaaS platform, which allows prospective cyber criminals access to ransomware in exchange for 30% of the revenues generated.
Once a victim has been infected with Satan via either malicious links or phishing campaigns, the victim’s files are encrypted and the attackers instruct the victims about ransom demands. Satan reportedly contains a HTML file that claims that restoring the encrypted files are impossible. According to researchers, this claim is not unfounded, indicating that the only way victims can regain access to their stolen files is by paying up the demanded ransom.
Satan’s ransom note instructs victims to install the Tor browser and then redirected to an .onion link to make the ransom payments. The ransom amount varies according to the specification of the cybercriminals using the RaaS platform.
Cybercriminals who want to use the Satan RaaS platform need to sign up for an account with the ransomware’s domain, which is hosted on the dark web. Those interested in the RaaS’ services must connect a Bitcoin wallet to their account and point out a cost for decryption.
Satan RaaS comes with several features, including fee payment records, transaction tracking, ransomware version releases and more. The platform provides hackers with tips on how to customise ransomware demands. Satan also helps hackers learn how to set up gateway proxies, and how to test their malware on systems. The platform also provides hackers with the option of translating their malware into different languages.
Additionally, Satan RaaS’ creators warn cybercriminals not to upload their ransomware onto VirusTotal or other online scanners, in efforts to ensure that they remain undetectable to security researchers.
A message of Satan RaaS’ sign up page reads, “Now, the most important part: the bitcoin paid by the victim will be credited to your account. We will keep a 30 percent fee of the income, so, if you specified a 1 BTC ransom, you will get 0.7 BTC and we will get 0.3 BTC. The fee will become lower depending on the number of infections and payments you have.”
Unlike some other ransomware authors who either fail to come up with a decryption key or store it in a way that allows security researchers to access it an create decryption tools based off them, Satan’s developers store the decryption keys on a remote server. As of now, there is not decryption tool available.
By India Ashok