In these years, the Darknet has created new illegal business models. In fact, over the classic illegal contents, like drugs, weapons and killers, other services are born in order to allow to speculate and to earn. In information security context, you can find hacking services and illegal software development, such as malicious software. The new trend consists of platform usage that allow even the inexpert people to create ransomware on demand.

A ransomware is a malicious code that infects the victims’ machines and blocks or encrypts their files, claiming a ransom. When ransomware is installed on a victim machine, it looks for and targets sensitive files and data, such as important financial data, databases and personal files. They are designed to make unusable the victims’ machines. Then, the malware demands to pay a ransom for the encrypted user data showing a window or creating some text files containing the payment instructions. The user has only two options: pay the ransom without having the guarantee of getting back the original files or format the PC disconnecting it from the Internet.

Ransomware history

The first ransomware was born in 1989, when 20000 floppy disks were dispatched as “AIDS Information-introductory Diskettes” and after 90 reboots, the software hid directories and encrypted the names of files on the customer’s computer, claiming a ransom of $189. The payment had to be done depositing the request amount at a post office box in Panama.

After many years, in May 2005, GpCode, TROJ.RANSOM.A, Archiveus, Krotten and others appeared and marked the beginning of maximum spread of this kind of malware.

With the advent of the new anonymous payment ways in the end of 2008, such as Bitcoin, the ransomware has changed the approach of demanding ransom payment.

After many ransomware family, such as CryptoLocker, TeslaCrypt, Locky and others, in the 2017, WannaCry Ransomware Attack terrified most country in the world thanks to its worm behaviour, with which the malware was able to spread in more of 230k machines exploiting a vulnerability of SMB protocol. Despite its unexpected worm behaviour, WannaCry continued to encrypt the user files using the classic methods but asked a payment of 300$ in Bitcoin to send to a provided Bitcoin address.

2017 – The year of ransomware 

The past year was the worst for the ransomware attacks spread in the worldwide. There were at least three ransomware attacks which made economic damages for millions of dollars.

The first one was WannaCry which hit every type of infrastructure, starting from communication companies, like Telefonica, FedEx and Deutsche Bahn until English hospital agencies. It propagated through EternalBlue, an exploit in older Windows systems released by The Shadow Brokers a few months prior to the attack. While Microsoft had released patches previously to close the exploit, many organizations that had not applied these or were using older Windows systems that were past their end-of-life.

Figure 1 – WannaCry ransom note

The second one is NotPetya, the evolution of another infamous ransomware, known as Petya spread in the wild in 2016. This ransomware propagates with the same exploit of WannaCry, EternalBlue. The characteristic of this malware is that it was designed not to be a ransomware, but a wiper, because it encrypts the Master Boot Record of the machine and due an algorithmic error, it was not possible to restore the previous condition and data are definitely lost.

Figure 2 – NotPetya ransom note

The last terror of the computer systems was Bad Rabbit. It was the evolution of NotPetya ransomware and targeted principally Turkey, Germany, Poland, Japan, United States and other countries. But the major damage was occurred at the Odessa airport of Ukraine. It is interesting to note that the malware doesn’t explicitly implement a wiper behaviour, suggesting the operators are financially motivated. However, the onion website used for the payment is no longer available, this implies that victims cannot pay the ransom to decrypt the file. This behaviour could be intentional and used by attackers to hide as a distraction tactic.

Figure 3 - Bad Rabbit payment site
Figure 3 – Bad Rabbit payment site

Ransomware general features 

The samples related to the last ten years attacks, could be categorized in two different types:

  • Locker-ransomware: is a ransomware that locks users out of their devices;
  • Crypto-ransomware: is a ransomware that encrypts files, directories and hard drives.

The first type was used between 2008 and 2011. It was discarded because it was quite simple to eliminate the infection without paying the ransom. In fact, the lockerransomware has the weakness to show a window that deny the access to the computer, but it was simple to bypass the ransomware lock.

The second type hasn’t got this problem because cryptomalware hits directly the users files, let free the usage of system to the victim. So, the user can’t access to the information contained into the crypted files.

Then, the next ransomware uses the same crypting approach of the second ones, but they involve a combination of advanced distribution efforts and development techniques used to ensure evasion and antianalysis, as Locky and WannaCry attest.

Obviously, the creation of a ransomware needs specific and advanced capabilities, in addition to the development effort. This makes ransomware an instrument for few people. To meet the needs of people who want to take revenge, make money or just for fun, new services are born to facilitate the “buying & selling” of malicious software. So, a new approach.

Obviously, the creation of a ransomware needs specific and advanced capabilities, in addition was born: Ransomware-as-a-Service (RaaS).


The rise of the RaaS distribution model is giving would-be criminals an extremely easy way to launch a cyber-extortion business with virtually no technical expertise required, flooding the market with new ransomware strains in the process.

Ransomware-as-a-Service creates a new business model because it allows to earn both malware sellers and customers. Malware sellers, using this approach, can acquire new infection vectors and new victims which they aren’t able to reach through conventional approach, such as email spamming or compromised website. RaaS customers can obtain in easy way technological weapon logging into RaaS portal, configuring the features and distributing the malware to unwitting victims. The goals can be different and are related to make easily and fastly money or to make vengeance against someone.

These illegal platforms can’t be found on the Clearnet, so they are necessary hidden into the dark side of Internet, the Dark Web. Surfing the dark web, through unconventional search engines, you can find several websites that offer RaaS. Each ones provides different features of ransomware creation and platform owner payment, allowing you to select the file extensions considered by the crypting phase, the ransom demanded to the victim and other technical functionality that the malware will implement.

Furthermore, beyond the usage of RaaS platforms, the purchase of custom malicious software can be done through proper website in which you can engage a hacker for the creation of your personal malware. Historically, this commerce has always existed but it was specialized into cyber attacks, like espionage, hack of accounts and website defacement. Only when hackers understood it could be profitable, they started to provide this specific service. Thus, the supply of this type of service is offered substantially in two ways: the first is to hire someone to write a malware with the requirements defined by the customer and the second is to use a Ransomware-as-a-Service platform.

In the following table are synthetized the principal platforms on the Darknet of Rent-a-Hacker and Ransomware-as-a-Service.

Rent-A-Hacker Services
X-HackerXHacker is a classic platform to provide a rent-a-hacker service. This hacker establishes a minimum price for a job is 200 dollars. In order to contact him, he publishes an email address attaching his PGP public key. 
Hacker for HireIt provides several hacking services, like cyber-bullism, cyber extorsion, social account hacking and more other stuff . There is a pricing list of all operations. 
HXT offers an “elite hacking” services, including DDoS attacks, personal accounts’ compromising, botnet and, last but not least, Ransomware on demand too. For each service the hackers show a price list and the most expensive is properly RaaS.
Pirate CRACKER SThis site provides several services, such as Email and cell phones hacking, social media hacking, DDoS attacks and malicious software creation. For each service there is a price list, which makes explicit that the payment must be done in Bitcoin. 
Rent-aHackerHe can do economic espionage, network and website compromising, DDoS attacks and hacking activity in general. Instead of pricing the hacking service types, he prices services based on the jobs dimension (small, medium and large).
Ransomware-as-a-Service Platforms
RaasberryIn this platform there are a personal section, in which you can see statistics about your ransomware campaign, keeping track of number of infections, number of paying people and the relative monetary earning. There is a dashboard in which you can purchase new packages that include, for each plan, the same ransomware but a diff erent subscription time to Command and Control. There are several plans, from plastic to platinum. Once you registered to platform and purchase new package, the platform assign you a personal bitcoin address and you can control statistics about your ransomware campaign and check your earning.
RanionThis platform declares that the C&C of their “Fully UnDetectable” ransomware is established in the Darknet. In the dashboard, you can purchase new packages that include, for each plan, the same ransomware but a diff erent subscription time to Command and Control. There is a section of Ransomware Decrypter, in which the victim inserts the key, sent by the criminal once he has paid the ransom. After you press decrypt button, start the decryption process of fi les.
Earth Ransomware
Unlike the previous RaaS, this one off ers the fi xed-rate service at the price of 0.3 BTC. When the customer pays the quote to the bitcoin address indicated in the mail, he obtains his credentials to enter in the personal section. In the editor area, you can create your personal ransomware in which you can set the number of bitcoins you require, email address, First payment deadline – Last payment deadline and bitcoin address. After the infection, the ransom note is shown to the victim, where are indicated the encrypted fi les, the deadline for payment and, obviously, the bitcoin address. 
RedfoxThe novelty of Redfox is that it’s hosted on the Clearnet. RedFox encrypts all user fi les and shared drives using BlowFish algorithm. The webpage says that the Command and Control, which is hosted over Tor, allows you to choose ransom amount, ransom note, payment mode, payment deadline and other technical features, such as the usage of binders, packers and crypters to guarantee anti-analysis of the sample.
Create your ransomware
It’s a totally-free platform. In its website you can download a ready-to-go ransomware fi lling only 3 form-boxes: the Bitcoin address in which you want to receive your “money cut”, the ransom amount and a simple captcha. As the website shows, the “money cut” corresponds to 90% of the ransom amount, instead the remaining amount is for the service fee. We can see some statistics about the ransomware campaign. 
DataKeeperThe only platform not seized yet is DataKeeper service. When you register at the website, you have the malware confi guration page, where you can choose the malware capabilities and some other confi guration settings. This platform seems to be one of the more completed because it allows to specify which extension of the fi les to encrypt.

*We thank the Global Cyber Security Centre for allowing the reproduction of this article, published in the «GCSEC Newsletter” in April 2018.


Author: Antonio Pirozzi

Antonio is Principal Malware Scientist and Senior Threat Researcher for CSE CybSec Enterprise spa  Actually, he holds more than 10 Infosec International Certification, from SANS, EC-Council and Department of Homeland Security. His experience goes beyond the classical Computer Security landscape, he worked on numerous projects on GSM Security, Critical Infrastructure Security,  Blockchain Malware, composition malware, malware evasion.



Other Magazines