Malware and computer forensics expert Lawrence Abrams has discovered an obscure website promoting its ransomware-related products and services.
The site, called “Hall of Ransom”, is accessible via the Tor network and sells Locky ransomware for $ 3,000. Locky infiltrates the system via a malicious macro in a Microsoft Word document which is sent to its victims as email attachments. Recent casualties include Methodist Hospital and Kentucky-based Hollywood Presbyterian Medical Center, which pulled out 40 bitcoins (about $ 17,000) to decrypt the files of detained hostages. The malware had around 90,000 infections a day last February
[Read: Ransomware: what it is and how it works]
The site is also selling an uncopiable ‘USB key’ for $1,200 that can supposedly decrypt the files encrypted by Locky on infected Linux and Windows-based computers . Users need only to insert the USB into the affected computer for the program to automatically launch itself and uninstall the malware.
It was also revealed that The Hall is selling a ‘new generation ransomware’ named “Goliath” for $2,100. Its source code is said to be derived from Locky’s, and that it catered to beginners who are just starting to venture into cybercrime. The site is hyping Goliath by promising a high infection rate and an ability that enables hackers to download, lock and unlock the content of the infected computers in one click.
Abrams’ further probe also showed a possible link to another variant of ransomware named Jigsaw, which was referenced in the site’s HTML source code. Jigsaw garnered considerable attention since its reported discovery last month with its capability to incrementally delete files from the infected computer for every hour that the ransom, which also increases, is not paid. It also banked on instilling shame and fear to pressure the victim into paying the ransom.
[Read: How to defend against ransomware]
The use of the Deep Web to trade malware is unsurprising given all the benefits cybercriminals derive from hosting their infrastructure and promoting their products and services on anonymizing services like the Network Tor. Ransomware, seen as an attractive option due to its promise of rapid ROI, is also gradually evolving into a business model. For example, ransomware variants such as Petya, Mischa, Cerber, ORX-Locker are known to be offered as ransom-as-a-service products in deep web marketplaces, where partners distribute the ransomware while developers receive commissions for each ransom paid. Another ransomware, Tox, was offered to cybercriminals for free as a customizable toolkit, with 30% of the revenue going to the developer.
The offered Goliath ransomware would require the use of a virtual private network (VPN) and can only affect machines running Windows. Abrams also downplayed the ransomware, saying, “Some features don’t make sense, like the need for a high-end GPU card unless they introduce a cryptocurrency mining feature. Me and others have searched high and low for a example of the Goliath ransomware and, if it exists, it has an almost non-existent distribution “.