SophosLabs researcher deconstructs popular Philadelphia ransomware kit to reveal how ransomware as a service is proliferating cybercrime
LAS VEGAS – July 25, 2017 – It’s increasingly easy to build and launch ransomware, regardless of skill. All one needs is ill intent and access to the dark web – a marketplace where malware kits are peddled like shoes or toys on Amazon.
The trend is known as ransomware as a service, and few examples are as slick and dangerous as Philadelphia.
At Black Hat 2017 this morning, Sophos released an in-depth report on the subject called “Ransomware as a Service (Raas): Deconstructing Philadelphia,” written by Dorka Palotay, a threat researcher based in SophosLabs’ Budapest, Hungary, office. It delves into the inner mechanics of a ransomware kit anyone can buy for $400. Once purchased, the bad guys can hijack and hold computer data for ransom in exchange for payment.
Out in the open
The RaaS kit’s creators – The Rainmakers Labs – run their business the same way a legitimate software company does to sell its products and services. While it sells Philadelphia on marketplaces hidden on the dark web, it hosts a production-quality “intro” video on YouTube, explaining the nuts and bolts of the kit and how to customize the ransomware with a range of feature options. A detailed “Help Guide,” walking customers through set-up is also available on a .com website.
While ransomware-as-a-service is not new, the glossy, overt marketing of a do-it-yourself ransomware attack is.
“It’s surprisingly sophisticated what The Rainmakers Labs is trying to do here. Details about Philadelphia are out in the open on the World Wide Web as opposed to underground and secretive on the dark web, which is where most other ransomware kits are marketed. You don’t need a Tor browser to find Philadelphia, and the fact that it’s brazenly peddled is sobering and, unfortunately, indicative of what’s to come,” Palotay said.
Track victims and (maybe) give mercy
In addition to the marketing, the product itself is advanced with numerous settings buyers can tailor to better target how they attack their victims, including ‘Track victims on a Google map’ and ‘Give Mercy’ options. Tips on how to build a campaign, set up the command-and-control center and collect money are also explained. It’s all right there.
Ironically, the “Give Mercy” feature is not necessarily to help victims, but is instead there to help cybercriminals get themselves out of a sticky situation.
“For the most part, the Mercy option is to give cybercriminals an ‘out,’ if they’re in a precarious position after a particular attack,” Palotay said. It’s also there in case friends of an attacker accidentally find themselves ensnared or if the cyber criminals want to test their attack.
The option to “Track victims on a Google map,” which sounds creepy, gives a glimpse into how cybercriminals determine the demographics of those they’ve deceived, which could help them decide to repeat an attack, course correct the next attack or bail with the “Mercy” option.
Extra features for extra money
The Mercy and Google tracking options and other features in Philadelphia are not unique to this ransomware, but are not widespread, either. These are examples of what’s becoming more common in kits and, as result, shows how ransomware-as-a-service is becoming more like a real world software market.
“The fact that Philadelphia is $400 and other ransomware kits run from $39 to $200 is notable,” Palotay said. “The $400 price tag, which is quite good for what Philadelphia buyers are promised, includes constant updates, unlimited access and unlimited builds. It’s just like an actual software service that supports customers with regular updates.”
Philadelphia also has what’s called a “bridge” — a PHP script to manage communications between attackers and victims and save information about attacks.
Additional features Philadelphia buyers can customize include the text of the ransom message that will appear to victims and the color of the text, whether the message appears before a victim’s data is encrypted and “Russian Roulette,” which deletes some files after a certain predetermined timeframe. “Russian Roulette” is common in ransomware kits, and is used to panic users into paying faster by randomly deleting files after a number of hours.
Having customization options and bridges drives in more profit and adds a whole new dimension to cybercrime that could increase the speed of ransomware innovation, Palotay commented. In other RaaS cases SophosLabs examined, pricing strategies ranged from splitting a percentage of the ransom coming from victims with kit customers to selling subscriptions to dashboards that follow attacks.
The report also reveals that some cybercriminals have “cracked” or pirated Philadelphia and sell their own ripped-off version at a lower cost. While cracking is not new, the scale is interesting. Ready-made threats that don’t require attackers to know what they doing and are easily available for purchase are constantly evolving. Sophos expects this trend of upping the ante and committing fraud against fraudsters to continue.
“It’s not uncommon for cybercriminals to steal another’s code or build upon older versions of other ransomware, which is what we saw with the recent NotPetya attack,” said Palotay. “The NotPetya attack combined Golden Eye, a previous version of Petya, with the Eternal Blue exploit to spread and infect computers globally.
For best practices against all types of ransomware, Sophos recommends:
- Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
- Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
- Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
- Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit. In the case of this attack, users want to be sure they are using the most updated versions of PDF and Word.
- Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.
- Try Sophos Home for Windows and Mac for free with family and friends.