Breach, Ransomware

Sophos Calls B.S. on Ransomware Extortionists’ Tactics

Sophos recently issued a primer deconstructing a ransomware kit served up as-a-service (RaaS) that anyone with $400 to spare can buy on the dark web. No expertise or even a passing modicum of software knowledge is required or even advised by the ransomware's code plunkers.

It’s tempting to think of the ransomware toolbox, called “Philadelphia,” and created by the ironically-named Rainmakers Labs, in the same way as the fictional Dr. Evil holding the world hostage with a giant laser seeking worldwide domination.

This, however, is anything but amusing. In reality, it does carry the potential for worldwide domination, decentralized attacks being one significant difference but another, perhaps a more evil aspect, is the marketing tactics the hatchers have tacked onto it under a cloak of legitimacy they covet.

That’s the big idea here: We now have RaaS sales and marketing--pull and push at the same time--wrapped in a tidy package priced to sell to a wide audience. In other words, behold the trappings of a legitimate business--product, demand, supply, sales and marketing--showcased in the light of day like a scorpion newly crept out from under a rock and feeling right at home.

This development can’t surprise anyone who’s either inadvertently wandered into ransomware’s sights, first responders to the debilitating malware, front line defenders or anyone else within earshot. The smelly part isn’t that this ransomware is peddled as a service, as though it had some beneficial quality to it rather than the extortion that defines it. It’s how the kidnappers seek to normalize their businesses into the fabric of everyday commerce, mimicking the methods of any software developer.

That’s some weird stuff right there--an oven-ready security threat that doesn’t require any know-how on the buyer’s part to cook, shrouded in apparent normalcy.

But let’s not alarm you further without some specifics of Sophos’ work, the driver of which is clearly the great concern that anyone with a crook’s evil eye has an easy, relatively unobstructed path to gain, if not a king’s ransom, certainly more than a peddler’s. Its report, delivered at the just concluded Black Hat conference, is authored by Dorka Palotay, a threat researcher working at the security developer’s labs in Budapest, Hungary.

“It’s surprisingly sophisticated what The Rainmakers Labs is trying to do here,” Palotay wrote. “Details about Philadelphia are out in the open on the World Wide Web as opposed to underground and secretive on the dark web, which is where most other ransomware kits are marketed. You don’t need a Tor browser to find Philadelphia, and the fact that it’s brazenly peddled is sobering and, unfortunately, indicative of what’s to come.”

As Sophos tells it, while "Philadelphia" is still sold in the corners of the dark web, Rainmakers Labs has produced a glossy video available on YouTube in which it explains the ins and outs of the kit, including customizing the ransomware and other feature options. And, the malware-ists also provide a help guide to steer buyers through setup and installation, kind of like an appliance maker would with a toaster.

Don’t think for even a second that’s all there is:

  • There are settings to tailor an attack and track targets, including ‘Track victims on a Google map’ and ‘Give Mercy’ options, the former for demographic information and the latter aimed at helping the creeps to extract themselves from a financial kidnap gone awry.
  • Tidbits on campaign building, how to set up a command-and-control center and, let’s not forget, how to collect money.
  • A PHP script to manage communications between attackers and victims and save information about attacks.
  • Text of the ransom message that will appear to victims and the color of the text, whether the message appears before a victim’s data is encrypted, and “Russian Roulette,” a scare tactic which deletes some files after a certain predetermined time period.

It’s these options that sets “Philadelphia” apart, not just for the comprehensive nature of the offering but also for its potential to speed innovation and bring in more money, Palotay said.

In other RaaS cases SophosLabs examined, pricing strategies ranged from splitting a percentage of the ransom coming from victims with kit customers to selling subscriptions to dashboards that follow attacks, the company said.

“The fact that 'Philadelphia' is $400 and other ransomware kits run from $39 to $200 is notable,” Palotay wrote. “The $400 price tag, which is quite good for what Philadelphia buyers are promised, includes constant updates, unlimited access and unlimited builds. It’s just like an actual software service that supports customers with regular updates.”

Fortunately, Sophos’ report doesn’t let us wander off stunned and half-cocked without directions home. Here’s the company’s list of defense maneuvers:

  • Back up regularly and keep a recent backup copy off-site. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Don’t enable macros in document attachments received via email. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
  • Be cautious about unsolicited attachments. If in doubt, leave it out.
  • Patch early, patch often. The sooner you patch, the fewer open holes remain for the crooks to exploit.

And, Sophos advises us to use its Intercept X platform that blocks the unauthorized encryption of files.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.