Vin Ransomware Blog02

Ransomware as a Service Banner


Over the past few years, since around 2010‒2012, this new Trojan malware called Ransomware has seen a growth. It is reported by some Antivirus companies that the growth rate of Ransomware is over 100‒200% each year.  The financial losses each year are in millions of dollars.

Ransomware Growth and financial impact

As there is no exact solution to this malware, it continues to create havoc. Criminals and cyber crooks have now started a business of this: they have named the service as Ransomware-as-a-Service (RaaS).

Before we understand what RaaS does, a quick understanding of ransomware. Ransomware is an old malware. Its origin is traced back to as early as in 1989. That was the first reported Ransomware. A ransomware infects the victim’s machine and holds your computer with your data as hostage and demands ransom money in return for the release of the victim’s data. This simple logic that the malware uses makes it one of the most difficult malwares to overcome in today's time. Today ransomware makes use of Cryptographic techniques to encrypt your data. The strength of the ransomware lies in the encryption techniques. Previously the ransomware used Symmetric Key Algorithm (uses same key to encrypt and decrypt). This was fine but the malware researcher (the Good guys) started to find out the flaws and tried to break the encryption method. But as time changed the malware developers too started using more difficult and complex techniques such as the AES 256, RSA 2048, RSA 4096, and Elliptic Curve algorithms. 

These algorithms are extremely difficult to crack. I won't be discussing the complexity of cracking the algorithms. You can search online more about this on various forums and online social platforms if you are really curious to understand the mechanics or simply trust me and an approximate analogy that I am about to make - Imagine 1 single file on your computer is encrypted with RSA 2048 algorithm. And you don’t know the key. You try to decrypt it using a technique called brute forcing. So how much brute force you will need and how much time will it need? To be approximate, imagine each individual on this planet has a simple computer and they all use their computing power to crack this one single file, then the time estimate for cracking this file will be around 70‒80 years. Yes! That is for only one file. Imagine if you have 100 GB of data. I leave it up to you to do the math.

So now that I have established the seriousness of Ransomware, a quick summary on ransomware in few lines is as follows:

  1. Malware which encrypts your files.
  2. Ask money in exchange for your file. (Just like a regular Ransom exchange)
  3. Money is in usually Bitcoins (BTC) (Money of the web. Non-Traceable. Totally Anonymous.)
  4. Brute forcing is no longer an option.

The question now is which people are at risk? Everybody you and me and not just big corporation. We can perhaps think that common people can simply format his machine and start fresh? Yes he certainly can but I read on a forum that a father, who had lost his son a year ago to cancer was hit by ransomware. All the pictures of his son were encrypted. I believe it is not who is a victim: common individual or big corporate, it is about the value of data that is hit. For that common father those pictures mean the world as they hold the memories of his passed away son. Remember, we live in in a digital age where we store our pictures in our computers and phones. No hard copies! The father was lucky that the malware developer had a heart and he gave the key. But this was the story of the past. New malware developers are ruthless and not as kind as the one mentioned. This is a one in a million case of keys released. The Financial and Medical sector are the top targets as they are responsible of holding data and information of large volume of individuals. What is more concerning is that the spread of Ransomware is no way near slowing down because anyone who has bit of knowledge of internet can use this service to make quick money. How is that?

For this article, we are going to discuss one such RaaS known as Satan Ransomware. This RaaS is available on the Dark Web. It is active since January 2017.


Satan Ransomware Instructions                                                                         Figure 3: Satan Ransomware Instructions


Figure 3 shows a quick description of what Satan Ransomware is and how it can benefit you.

The payout that is mentioned is 70-30 ratio. Say 1 BTC is approximately 1000 USD, then according to 70-30 ratio payout, the Site owners, the service providers will get 30% (300 USD)and the user of the service gets 70% (700 USD). That for any common person is lot of money. Easy Money.

Let’s now understand the website and the Service that is provided.  


Satan Ransomware First Page                                                               Figure 4: Satan Ransomware First Page


As shown in Figure 4, the first screen is what we are greeted with. There is another option of new users to Register.

Upon clicking the Register we are directed to a different page (Figure 5):


Page                                                                            Figure 5: Sign-in Page


As we see, the signup is very simple. There is no validation required, no email id is required to register. That means the people who are providing the service have no idea of your identity. This assurance of anonymity is a very powerful aspect.

Upon signing up and logging in, the interface that we see is as follows (Figure 6):

Activity Tracker of the Malware a user has infected                                                        Figure 6: Activity Tracker of the Malware a user has infected


The RaaS provides an activity tracker which can help keep tabs on the amount of ransomware's that have successfully infected machines and how many victims have paid the ransom amount. Your Bitcoin address shows that whenever you want to withdraw the amount you just need to provide your bitcoin address and the 70 % of the total bitcoins collected as ransom will be reflected in your account.

Now the RaaS also provides you with the option of customizing a small amount of the features of Ransomware (Figure 7).


Customizing your own Ransomware                                                           Figure 7: Customizing your own Ransomware


The features that you can customize, and which pretty much define a ransomware altogether is the Ransom amount, which can be given according to the RaaS users will. The minimum ransom hinted is 0.1 BTC (136 USD approx.) There is also a feature wherein suppose the victim is unable to pay the ransom amount in the stipulated time then the ransom amount can multiply as part of punishment to the victim. 

The third option describes the duration till which the ransom is expected to be paid.

The Notes option is for the Service users to keep tabs, for example if the service user is targeting banks and he gives the banks 10 days, he can write in the notes as “Ransomware for X Bank” and then if he targeting Hospitals he can note it as “Ransomware for Y Hospital” so that this way he does not mix up between two malware's and thus can simultaneously work on multiple different campaigns efficiently without an hassle or confusion.


Dropper Techniques used                                                                                  Figure 8: Dropper Techniques used


Just customizing the ransomware is not enough to get the work done. If you simply create a malware, the chances of its detection are high by an Antivirus. To ensure that the malware is not detected, the Service provides you with two XOR techniques to help the malware evade the ransomware. The page clearly describes the instructions on how to make a dropper (Figure 8).

The codes are listed as shown in figures 9 and 10:

Dropper Technique 1

                                                                             Figure 9: Dropper Technique 1

Dropper Technique 2

                                                                                Figure 10: Dropper Technique 2

The RaaS also provides the user with the option of language independence. That means now that user is no longer bound by the boundaries of language to infect its victims. The language translation is available for English, Portuguese, Russian, Dutch, Italian, French and other languages totaling up to 14 different languages.


Language Translation and Ransom Note                                                                   Figure 11: Language Translation and Ransom Note


This panel also discusses the creation of Ransom notes. For humor, many ransomware developers use very harsh or very polite or simply a business like tone in their ransom note.

The next tab is for the summary information of the RaaS user.

Account information                                                                                   Figure 12: Account information


This tab keeps all the information about the RaaS user (Figure 10). The username, how much cut is provided (70% is the default), logged Information, how many ransomware have been developed and how many victims have been infected. I have intentionally deleted my username since the website is still live.

Lastly, the Notice tab informs us about the recent releases (Figure 11).


Version description.                                                                           Figure 13: Version description.


Messages tab is when there is a need for communication between the Service User and Malware Developers and between Victim and Service users in case of price negotiation.

After reading all this, I assure you that it is half as easy to design the ransomware than it is to read and understand this article. In one sentence: Yes, it is very simple to create a ransomware.

Now towards the end of this article, I am pretty sure you must have more questions than before reading this article. Let me put some things straight so that there is no confusion and misunderstanding.

  1. No. I am not the bad guy. The whole aim of this article is to make you aware that the threat is very real and you do not need any expert skills to spread ransomware contrary to popular beliefs that you need to be “expert”.
  2. Yes. Satan Decryption tool is available. Do they work? I do not know. I will shortly check them personally and let you know.  But that is not enough. Just having a decryptor does not mean users—individuals and companies should not take sufficient precautions.
  3. Regular offline backups (on external hard disks, DVDs etc.) is the best precaution you can take for now.
  4. The reason of why ransomware continues to grow is the power of anonymity. The money transaction is in bitcoins which is itself crypto-currency.  Another aspect is that during registration, the users of this service are safe as none of their credentials are validated.

This article has the sole aim of educating the readers about RaaS and how it is an easy money making method which most cyber criminals are using today. RaaS is a simple, easy-money solution. The users of RaaS feel that it is a harmless crime because you are not killing anyone for money, RaaS service users are not exposed in the open; hence, the perpetrator is safe. These factors account to the ever increasing rise in Ransomware.

I hope I was able to convey the magnitude of problem we have to solve. And this can be done only if we are united as a community.