Sophos News

Ransomware as a service: how the bad guys marketed Philadelphia

  • Bill Brenner

    • Ransomware as a service (RaaS) has been around for a while. But it has typically been found on the dark web. In recent months, its creators have grown more brazen about promoting it on the open web, and that has the potential to change everything.

    Few RaaS kits exemplify this the way Philadelphia does.

    At Black Hat 2017 this morning, Sophos released an in-depth report on the subject, Ransomware as a Service (Raas): Deconstructing Philadelphia, written by Dorka Palotay, a threat researcher based in SophosLabs’ Budapest, Hungary, office. It delves into the inner mechanics of a ransomware kit anyone can buy for $400. Once purchased, the bad guys can hijack and hold computer data for ransom in exchange for payment.

    Out in the open

    The RaaS kit’s creators – The Rainmakers Labs – run their business the same way a legitimate software company does to sell its products and services.

    While it sells Philadelphia on marketplaces hidden on the dark web, it hosts a production-quality “intro” video on YouTube, explaining the nuts and bolts of the kit and how to customize the ransomware with a range of feature options.

    A detailed Help Guide, walking customers through set-up is also available on a .com website.

    Their first RaaS product was Stampado, which they started to sell last summer for only $39. Based on their experiences by the end of 2016, they developed a much more sophisticated piece of ransomware called Philadelphia, which they currently sell for $389 on their website.

    Customers include an Austrian teenager police arrested in April for infecting a local company. In that case, the alleged hacker had locked the company’s servers and production database, then demanded $400 to unlock them. The victim refused, since it was able to retrieve the data from backups.

    While ransomware-as-a-service is not new, the glossy, overt marketing of a do-it-yourself ransomware attack is. Palotay said:

    It’s surprisingly sophisticated what The Rainmakers Labs is trying to do here. Details about Philadelphia are out in the open on the world wide web as opposed to underground and secretive on the dark web, which is where most other ransomware kits are marketed. You don’t need a Tor browser to find Philadelphia, and the fact that it’s brazenly peddled is sobering and, unfortunately, indicative of what’s to come.

    Sophos global security research head James Lyne agreed:

    Philadelphia exemplifies the common marketing strategies and features that are making RaaS so popular. By combining the practices of the legitimate software industry, such as documentation, regular feature updates and friendly user interfaces, RaaS services have made it far more viable for those with intent but not technical skill to execute relatively high-quality attack campaigns.

    Defensive measures

    For best practices against all types of ransomware, Sophos recommends: