November 4, 2020 • Insikt Group®
Click here to download the complete analysis as a PDF.
Hackers need not search the dark web for access to their very own ransomware platforms these days. Cybercriminals are continually finding new ways to promote their underground businesses and gain the attention of new customers and novice hackers. Several threat actors have recently taken to popular social media and open sources like YouTube, Vimeo, and Sellix to advertise and demonstrate their discount-priced $40 ransomware-as-a-service (RaaS) builder called ZagreuS.
The ZagreuS ransomware offers several attractive and easy-to-use features that make it accessible and manageable for low-level beginner hackers. According to the sellers, the ransomware features include:
- Asymmetric encryption. Uses a hybrid combination of AES-256 and RSA-2048 algorithms to lock files on the target machine.
- It deletes shadow copies and is claimed to encrypt files at a very high speed.
- Claims to bypass UAC.
- Built-in loader that can be customized to drop additional payloads such as RATs (remote-access trojans).
- The attacker can monitor the number of victims infected with the ransomware.
- Easy personalization. Enter your contact information and bitcoin address for fast payment.
According to the original seller, ZagreuS is designed for attacking larger networks of companies, enterprises, and hospitals. The 11-minute demo video posted on YouTube describes that the seller will receive a 30 percent commission for each ransom collected, while the remaining 70 percent is kept by the operator/buyer. The ransomware builder is currently trending at a low price of $40 USD, paid in cryptocurrency to the sellers wallet.
Several interested buyers left comments on the sale posts on underground forums inquiring if anyone had tested the ZagreuS builder, and expressed interest in trying it out. Typically, in these instances, the low price of the builder is an indication that the seller is lacking experience or that the tool is not very valuable. Insikt Group has found that most often, the tool does not function well, can be easily decrypted, and it can be very difficult for the “affiliates” criminals to make a profit off of their victims.
Many online platforms and social media applications are aware of these advertisements and work to have them removed. When this particular demo video was removed from the original YouTube channel, the threat actor quickly uploaded it again under a different link and pivoted to other platforms for clear web and deep web marketing, including sellix.io, RAID forums, hackforums, and Github.
Ransomware has stolen the cybercrime stage in the past year, quickly becoming one of the most damaging and prevalent forms of cyber attacks. Industries such as state and local government, healthcare, and finance have taken an especially hard hit from ransomware attacks in the past year, and it does not appear to be slowing down. There are currently over 1,800 variants of ransomware, with the top 45 variants bringing in the most ransom money.
Although the barrier of entry for threat actors to get into ransomware has been lower than ever, very few criminals make a profit off of these low-cost, simple RaaS tools. However, those that are successful have taken advantage of the situation and have increased ransom demands. Some are even practicing double exploitation of their victims — demanding a ransom, and still releasing the victims’ personal data for sale on underground forums after they have paid.
For more information on security intelligence to defend against ransomware threats, visit www.recordedfuture.com.